A deal with the devil: The security of electronic medical records

With the recent NSA admission of recording phone conversations of US citizens, there has been renewed interest in the right to privacy. For the record, it is worth recalling what the Fourth Amendment to the Constitution says.

“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.”

One can debate the NSA case versus the above, although I happen to agree with the ACLU that it is a constitutional breach. However, what about our health records? It has long been held that these should enjoy secure protection as well from public discovery. HIPAA laws reaffirmed this. However, in reality, it seems that violations of record privacy are far from rare.

Recently, it was discovered that approximately 3,300 Floridians’ confidential prescription drug information, stored in a statewide prescription drug database known as E-FORSCE, ended up in the hands of third parties without the knowledge or consent of the individuals whose prescription drug information was released.

The Electronic-Florida Online Reporting of Controlled Substances Evaluation program (E-FORCSE) is the Florida Prescription Drug Monitoring Program (PDMP). The PDMP was created by the 2009 legislature in an initiative to encourage safer prescribing of controlled substances and to reduce drug abuse and diversion within the state of Florida. It was set up after years of public outcries of how easy it was to purchase narcotics at pain clinics. The purpose of the PDMP was to provide the information that will be collected in the database to health care practitioners to guide their decisions in prescribing and dispensing highly abused prescription drugs.

Furthermore, the Florida Department of Health’s webpage states, “E-FORCSE complies with the Health Insurance Portability and Accountability Act (HIPAA) as it pertains to protected health information (PHI), electronic protected health information (EPHI), and all other relevant state and federal privacy and security laws and regulations. The information collected in the system will be used by the PDMP to encourage safer prescribing of controlled substances and reduce drug abuse and diversion within the state of Florida.”

How the above breaches in privacy happened are still under investigation. Yet, it seems that for every advance in electronic health records, there is a darker side of how to safeguard the information. Everyday, we use our smart phones to access banking and retail information. When done via a wireless network, the security is weak, at best. However, many of us readily give up some rights of privacy for the ease of commerce. Many of us understand and agree to this risk/benefit deal, but many do not. Recent revelations of retail stores tracking customers’ visits inside their stores via wireless networks and mobile phones seemed to shock us as well.

With or without our knowledge, we have made a bargain with the devil.

But if we cannot trust privacy when dealing with a healthcare provider, be it a doctor’s office, clinic, or hospital, then whom can we trust? Indeed, this privacy trust is stated in the Hippocratic oath, taken by physicians at the time of graduation from medical school 

“What I may see or hear in the course of the treatment or even outside of the treatment in regard to the life of men, which on no account one must spread abroad, I will keep to myself holding such things shameful to be spoken about.”

In some ways the electronic health record has made it harder to contravene privacy, since it requires an electronic consent that you are involved in caring for a patient before viewing the record. In the old days of paper charts, one could simply grab a chart and review information without being caught. But how often and forcefully these electronic record infractions are monitored are questionable.  Worse, doctors frequently walk away from computers logged-in, making it all too easy for someone to access any patient information for which they do not have privileges.

My feeling is that if properly administered, the EHR is far more secure than paper. Yet, no system is perfect, and if an ingenious hacker can find his or her way into the Department of Defense database, then surely, a medical electronic record can’t be all that hard for the highly determined and nefarious techno criminal.

The somewhat surprising lack of public outrage over the NSA phone tapping brouhaha indicates to me that the public has already relinquished its right to privacy in its mind. This is sad and regrettable. The price of convenience should not have to come with loss of privacy as part of the bargain. There is much that I disagree with the ACLU about, but in this case, I believe they are correct. EHR vendors have to do a better job of making the systems more secure, and those empowered in monitoring this security need to better job. And healthcare providers need to be cognizant of this as well, like always closing your EHR account before walking away from a computer screen.

Thomas Jefferson said it best. “I would rather be exposed to the inconveniences attending too much liberty than those attending too small a degree of it.”

David Mokotoff is a cardiologist who blogs at Cardio Author Doc.  He is the author of The Moose’s Children: A Memoir of Betrayal, Death, and Survival.

View 7 Comments >

Most Popular