Addressing the security risks of healthcare IT

As an IT person working for a hospice company I am constantly attempting to find a harmonious balance between implementing technological advancements and mitigating security risks. In other sectors, IT departments can have something akin to carte blanche when it comes to new technologies and services.

The world of healthcare is often a bit slower to adopt new technology for a multitude of reasons, not the least of which being the heavy amount of regulatory scrutiny that falls on providers. While new technology can lead to increased efficiency in the use of information it also tends to usher in scary new security risks. In the past this has made healthcare IT departments very gun-shy when it comes to advancements in technology regardless of the improvements they may bring in the practical use of information. More often than not these advancements were all but ignored in favor of current, secure, and comfortable systems.

But the times, as Dylan opined four and a half decades ago, they are a-changin’.

We’ve managed to achieve connectivity in ways once thought to be impossible. At any time, day or night, staff members can communicate vital information with one another through email and secure messaging. Critical business information can reach central locations from even the most distant outposts in no time at all. Our most productive computers are no longer tethered to an office desk but instead are being carried in our purses and pockets. We have unlimited communication power at our fingertips. And as every good IT nerd knows, with great power comes great responsibility.

PwC’s Health Research Institute released a report late last year which indicates that healthcare providers are beginning to explore new ways to use patient data. Nearly 75% of those responding said they have either already implemented, or plan to implement, systems which expand the use of patient data beyond the traditional means. That is a staggering number but it is followed in the report by something even more staggering: only 47% have addressed the privacy and security risks associated with that expanded use.

I have no doubt that the majority of the 75% are planning to capitalize on the fresh wave of connected technology in order to find new uses for patient data. While I applaud this step forward it is rather disheartening to see that a scant 47% have even bothered to address security risks. This should be, and must be, a statistic that is improved upon. If 75% of providers responding plan to expand the use of patient data then 100% of them should also be addressing potential security risks. We owe our patients nothing less.

My particular area of expertise does not grant me the privilege of being directly involved with our patients. While this is also true of the majority of healthcare IT professionals it does not excuse us from the responsibility that comes with contributing to overall patient care. The IT decisions we make and the technologies we implement come together to form a significant addition to the level of care our company provides to its patients. It is our duty to handle the privacy and security of our patients with the utmost care. While I believe that healthcare providers would benefit greatly from embracing advancements in technology we have to refrain from playing fast and loose with patient data simply because we want the newest and shiniest.

Someday I will move from being an employee of a healthcare provider to being a patient of one. When that happens, do I want to be with an organization that took the time to consider the privacy of my information or one that didn’t bother? In my opinion that’s a pretty easy choice.

Steve Lorenz is IT Director, Solaris Healthcare.

Submit a guest post and be heard on social media’s leading physician voice.

email

Comments are moderated before they are published. Please read the comment policy.

  • http://www.facebook.com/people/Ardella-Eagle/840440226 Ardella Eagle

    Thank you, Mr. Lorenz, for being an IT person who understands the HUMAN aspect of EHR and HRM.  I truly hope that technology can live up to the security requirements that individuals (let alone the government) deserve in preserving the integrity of their personal health records and privacy.  I’m sure that the IT privacy sector will continue to improve when you have private companies, such as LifeLock, continually improving personal information security.

  • http://pulse.yahoo.com/_2LRZNHDZS6DU45WQ567LPQ7CMI ninguem

    Time after time after time after time after time, one incident after another, coast to coast and everywhere in between, the people who breach the data wear expensive business suits, and wouldn’t be able to find the operating room unless you left a trail of $100 bills to follow.

    They think about renovating the cafeteria. They want to see the cafeteria’s financials. They download the entire data for the entire hospital system for the last ten years, on their laptop. Patient data, everything.

    Then they bring it home.

    Except on the way home, they left it behind at a Starbucks……or a tavern or a strip joint. Somebody making minimum wage, with more ethics and diligence than the guy in the suit, finds the computer and takes the time to figure out the owner, and more often than not, doesn’t pry into the confidential stuff.

    But the hospital can’t be sure of that, and everybody who went to that hospital for the last ten years, gets a year of LifeLock as part of the settlement.

  • Anonymous

    “PwC’s Health Research Institute released a report late last year which indicates that healthcare providers are beginning to explore new ways to use patient data. Nearly 75% of those responding said they have either already implemented, or plan to implement, systems which expand the use of patient data beyond the traditional means.”

    I have concerns that this is being done without patient consent or understanding of what is being done.
    There are already healthcare systems that are compiling this data for marketing purposes. “Beyond the traditional means” has not really been defined. Improved patient care seems to be low on the list for the goals of implementation.

    Thanks for your post.

    • Anonymous

      As I stated in a reply to a commenter above, I can only speak for our company, but I can tell you with great certainty that improved patient care is a primary goal for our IT implementations. The continual improvement of patient care is a lens through which our decisions are filtered. I very much share your concerns that the companies referred to in PwC’s report are undertaking these implementations with little understanding of what is actually being done. It is quite a scary thought and something which prompted me to write this post in the first place. As healthcare providers we owe it to the patients to be responsible when making IT decisions, plain and simple. Thank you for your comment and for pointing out the fact that improved patient care is often an overlooked thought.

  • Anonymous

    It is difficult to understand why medical information with a patient’s id on it could be downloaded by a non involved person  – ie. the expensive suit guy remodeling the cafeteria – why are they linked?  Even if there is a hugh database available to researches in the future this would be dissociated from patient IDs would it not.   

    That someone could hack a database to get health information on individuals would seem more of a problem regarding life insurance companies.  That would be the biggest area for the expensive suit guys.  The second would be health insurances but they are not going to be able to use it to deny insurance anymore (hopefully).

    I see it as a critical step for efficiency, cost control, patient safety, error reduction and to have large databases for research and developing clinical practice guidelines. 

    Have you checked out how France is able to have a universal EMR and not have these problems?  Is the only way to really get to efficiency, privacy and better care information is having a universal EMR?  How about the VA – how do they do it.   

  • Anonymous

    Can you manage the lack of privacy of the health information?  Do you identify a conflict of interest between a health IT and a hospital, medical center or insurance company?

    • Anonymous

      I can only speak for our company and our company alone, but there is no conflict of interest between our internal IT department and the portion of our company that directly serves our patients. Because of this we are able to manage the privacy of our patients health information with great success, as both sides are working closely together instead of working against one another. Every action taken by my department is done so in the context of serving the clinical department and not to further our own IT interests. I think you touch on a great point though since often times IT departments/consultants can get caught up in pushing their own agenda and do so at the risk of the security of patient information. It is certainly an issue that needs to be addressed as companies move forward in this new age of expanded technology.

      • Anonymous

        Thanks, for your response.
        Best,
        Katerina Hurd,Ph.D.