For those who signed up for health care under the federal or state plans that rolled out in late 2013, I hope your experience was better than mine. Living in Minnesota, I enrolled in MNsure, the state program. The process took six hours.
Unfortunately, poorly functioning websites are not the only digital problem plaguing health care plan enrollment. Having completed audits of federal and state sites, government agencies and independent organizations are proclaiming that many – including healthcare.gov and MNsure.org – rate poorly when it comes to safeguarding sensitive medical information.
For example, an article that appeared in The Weekly Standard on January 24 reported on a huge security glitch in the federal website, HealthCare.gov. According to TrustedSec CEO David Kennedy, who is quoted in the piece, the enrollment website allows attackers to create functioning, and potentially malicious, Web pages within the HealthCare.gov website. (Read more about the rollout – and the fallout – in Why the First Rollout of HealthCare.gov Crashed, an Architectectural Assessment.)
Right around the same time as the federal HealthCare.gov rollout, a major security breach of personal financial data held by Target was reported. It is believed that up to 40 million credit and debit cards may have been impacted.
I mentioned earlier that I am from Minnesota, home to Target’s headquarters and a state health care enrollment website that is less than stellar when it comes to securing members’ personal data. It’s hard not to wonder if a pattern is emerging. Especially when MinnPost, a local online news service, runs a story about the lack of security around state pharmacy records. After all, if Target can’t protect financial data, what makes us think they can keep health records out of harm’s way?
Bad Guys Want Electronic Healthcare Records
To criminals, electronic healthcare records (EHR), including medical-identification records, are a treasure trove of actionable information. The MinnPost article touches on one reason why:
"[S]o-called ‘medical identity theft’ is a growing concern nationwide, as thieves may gain access to a patient’s health plan number, prescription history, and other personal information, which may be used to defraud health care providers."
The MinnPost article then quotes an expert from Gartner, who says that medical-identity theft is especially troublesome because it may take years to discover. If, during that time, criminals are successful in making fraudulent claims, the poor victim will most likely receive premium hikes, and not have a clue as to why; or worse yet, assume the insurance company is doing what it normally does – simply increasing rates.
The surge in interest of EHR by bad guys was not lost on Symantec Corporation. A few months ago, the company released a white paper that examined "the challenges and requirements of protecting confidential patient data online, the risk of security breaches in the world of EHR, and the measures health care organizations must take in order to achieve and maintain compliance."
The paper starts out with an overview of EHR, explaining that its main benefits are the ability to share patient data quickly, accurately, and easily among health care providers anywhere in the United States. More specifically, EHRs help:
- Record continuity from provider to provider
- Reduce errors in prescriptions
- Provide real-time tracking and alerts for more effective, efficient patient care
Next, Symantec looked at what in-place processes ensure patient privacy and the security of patient information.
Securing Patient Data at Rest and in Transit
When the Symantec paper started talking about securing patient data, the authors made the assumption that health care organizations will have adequate security solutions in place for stored patient records. As for patient data in transit, Symantec offered its own solution,
"In order to protect confidential patient data from unauthorized access, healthcare organizations need a systematic approach to security across the entire online transaction, thus mitigating threats at multiple levels."
When it comes to maintaining patient privacy, Symantec explains that tenets of the Health Insurance Portability and Accountability Act (HIPAA) are prominent in all EHR doctrine. State governments have also added their own statutes, which tend to focus on individual privacy, levying heavy fines if providers handle patient information incorrectly, or are slow in notifying patients of a data breach.
The paper also assumes that "many consumers would probably be inclined to say that the security of their financial data is of greater concern than the privacy of their healthcare records."
Maybe. But which is truly worse?
After all, data breaches like what Target shoppers are suffering through are indeed bad, but the damage can be repaired. It’s hard to say the same for a data breach resulting in the theft of patient health care records.
According to Symantec, "Once confidential information is spilled onto the Internet, it can’t be put back into the bottle. Friends, coworkers, family members, and potential employers may forever know what was supposed to be a private matter between you and your doctor leading to embarrassment, job discrimination, and other serious consequences."
Unlike financial data breaches, no amount of money can repair the damage.
One Last Consideration
It is important to understand that health care providers, in order to comply with HIPAA, must keep an audit trail of who accessed which records, what changes were made, and when. So, if something is not right, patients can expect answers to EHR-related questions. That’s a good thing. Unfortunately, by that time, the damage may already be done.