Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

EMR Data Theft Returns!

Posted on August 8, 2011 I Written By

Dr. West is an endocrinologist in private practice in Washington, DC. He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC in 2009. He can be contacted at doctorwestindc@gmail.com.

My August 3rd post Data breaches and EMRs: bad guys or just dumb mistakes? discussed my skepticism about the DEFCON level we need to have regarding EMR and EHR.  I found it eyebrow-raising when Reuters was quick to distance itself from the author at the beginning of her article The road to electronic health records is lined with data thieves, which I have not often seen in EMR and EHR blogs.  After I read through it, I began to think that maybe the disclaimer had to do with the content of the post.  This story was a bit more interesting than Digitized medical records are easy prey, but all is not lost, the topic of my August 3rd commentary, in that it really highlighted more of the paranoia and fear about what could be rather than what probably will be.  I’ve also said in previous posts that it’s not that I believe electronic medical records are going to be completely secure and HIPAA compliant under all circumstances.  However, the following excerpts from the Reuters post drove me nuts with all the fear mongering that was clearly promoted.

Setting an epic tone for her piece, Constance Gustke begins discussing “The future of your personal health information…” and“gigantic Internet-driven databases”.  The rest of her post includes the following comments.  I admit they’re a bit voluminous, but the quotability here was difficult to resist.

“the data being stored is sensitive and so far it isn’t very secure,”

“… access explodes”.

“data breaches can have harmful effects, including medical discrimination.”

“we can’t see who uses our electronic records,” “And they can be back-door mined.”

“only 10 percent of all hospitals lock down their data”  “HHS investigations have found… dozens of data breaches… in New York, California, Illinois, Texas, Massachusetts, Georgia and Missouri.”

“patients can put their information at risk at home, too, using unsafe computers that may not be secure”

“wild west in terms of how data flows,”  

“Assets are roaming on the open ranges.  And the rustlers are out foxing us all.”

“identity thieves and other fraudsters”  

“Medical records are a gold mine of personal data, including Social Security numbers,”  “financial and medical information.”  “It shows everything about you.”

“Even more dangerous, stolen medical data can damage your healthcare.  There could be more healthcare discrimination,”

“government regulation is weak.” “doesn’t offer enough protections”  “no system can completely track access”.

“Currently, there are 281 cases listed, including hospitals, doctors and insurance companies that reported large data thefts, losses and other breaches. For example, HHS found that Massachusettes Eye & Ear Infirmary and Kaiser Permanente Medical both had medical data thefts.”

But which were cases of electronic theft that actually required hacking?  Which ones were specifically due to the fact that the records were stored on an EMR or EHR system and then electronically stolen?  This is to me perhaps the most important question, since without true electronic crime, a lot of the gusto cited above tends to be less grounded.  She doesn’t stop with EMRs, but rather goes on to warn, “Right now, portals put more information at risk.”  Okay, okay…  I think I get the message.

Dr. West is an endocrinologist in private practice in Washington, DC.  He completed fellowship training in Endocrinology and Metabolism at the Johns Hopkins University School of Medicine. Dr. West opened The Washington Endocrine Clinic, PLLC, as a solo practice in 2009.  He can be reached at doctorwestindc@gmail.com.

HIPAA Breaches Related to EMR

Posted on March 25, 2010 I Written By

John Lynn is the Founder of the HealthcareScene.com blog network which currently consists of 10 blogs containing over 8000 articles with John having written over 4000 of the articles himself. These EMR and Healthcare IT related articles have been viewed over 16 million times. John also manages Healthcare IT Central and Healthcare IT Today, the leading career Health IT job board and blog. John is co-founder of InfluentialNetworks.com and Physia.com. John is highly involved in social media, and in addition to his blogs can also be found on Twitter: @techguy and @ehrandhit and LinkedIn.

Someone sent me an email with this link to the list of HIPAA breaches affecting 500 or more individuals. One of my popular searches on EMR and HIPAA is about HIPAA lawsuits, so you can imagine the lawyers are salivating over this list.

In a quick count, I found 31 on the list that were desktop, laptop, or other computer related device. In another quick count, I counted 46 on the list (feel free to correct my counts, but the range is right). The person who emailed me suggested that most of the list was breaches of EMR. I personally don’t think that’s the case.

One thing seems pretty certain. Technology has opened the doors for larger breaches. In the paper world, it’s a little harder to lose/misplace/steal 500 or more individuals information. It happens, but it’s much easier in the digital world. Plus, there’s a lot more vagueness in technology when a breach happens.

In the digital world, it’s often a best guess about what happened during a breach. Most of the time breaches happen in the technical world, they probably didn’t give a rip about the healthcare data. However, there’s the potential that they did, so you get to report it. Enough of that tangent.

One other problem with the assertion that most of this list is from an EMR breach is that I was surprised how many insurance providers were on the list. In fact, it seems like a large portion of the breaches were insurance lists probably. Not sure that’s an EMR breach.

I think it’s also interesting to note that this list of breaches is probably far below the reality. This is just the list of reported cases. I can’t imagine how many breaches happen that go unreported.

Of course, this begs the question of whether we should be moving to electronic records at all if there’s more possibility for breaches. My answer is that of course we should. Although, it should give us real pause as we consider the security of those systems as well. Stuff happens, but we shouldn’t put the possibility of breaches make us set aside the benefits of technology.