With allegations of foreign intervention in American elections, provider breaches at a grand scale, and massive theft of “big data,” the spate of high profile computer “hackings” over the past few years has many concerned over the safety of their private information. Experts predict a focus on healthcare data as an increasingly important target for security attacks.
According to a recent survey among 12,000 people, most Americans don’t trust the security of health information technology. The reason for this doubt is due to two factors: the recent surge in cybersecurity breaches and physicians’ disinterest in adopting EHR. This combination can come with a major cost, creating harm in both operations and reputation.This survey, conducted in September 2016, found that for consumers who engaged with health information technology at a hospital or physician practice in the last year, 57 percent were skeptical of its overall benefit. As a result, 87 percent are unwilling to share all of their medical information. This concern about security, manifested in withholding relevant health histories, is counter-productive to accurate treatment and is particularly troubling in the pediatrics specialty.
Pediatricians are Very Adept at Securing Patient Histories
“These results do not surprise me,” noted Chip Hart of Physician’s Computer Company (PCC), an electronic health records (EHR) platform designed exclusively for pediatricians.
“Consumers are already aware of how their information is being used by everything they interact with, from Google to the banks to Amazon to the insurance companies. The parents who bring their kids to their pediatrician want to protect their children from prying eyes.
“I think pediatricians are really good at extracting the entire relevant patient histories, as a rule. After all, pediatricians are experts at patient relationships. Still, independent pediatricians should stress the importance of having a complete medical history and perhaps explain that any 'leak' of data isn't likely to come from them.”
The survey noted that most of the respondents were concerned that their personal health information is being shared with retailers, employers, and the government without their consent. More specifically, pharmacy prescriptions, mental health notes, and chronic condition data were of the greatest concern.
As another example of this issue, Hart noted a recent Supreme Court ruling focused on the state of Vermont’s prescription privacy law. The Court recently rendered its decision invalidating Vermont's prescription restraint law, which prevented the sale of information about individual doctor's prescribing records without the doctor's permission. Three companies which sell this information challenged the Vermont law.
The opinion holds that the law imposes a restraint on information held in the hands of a private speaker, and that even if the information were regarded as governmental it discriminates on the basis of speakers in a manner that requires "heightened scrutiny." Supreme Court Justice Kennedy anticipates future legislation that may attempt to regulate targeted use of data: "The capacity of technology to find and publish personal information, including records required by the government, presents serious and unresolved issues with respect to personal privacy and the dignity it seeks to secure. In considering how to protect those interests, however, the State cannot engage in content-based discrimination to advance its own side of a debate."
Vermont was the only state to fight for this type of prescription privacy.
Concern about Privacy led to HIPAA
Patient privacy was at the top of the list when PCC developed its pediatrics-exclusive software. Chip explained what safeguards were built into this platform.
“We were adamant about scrupulously adhering privacy safeguards of the Health Insurance Portability and Accountability Act of 1996 (HIPAA),” he noted, “While it is difficult to boast that we do something ‘so much better’ than our peers, because all EHR vendors can state that they've strengthened their security, we have made design choices which enhance data security.
“One important factor that differentiates us is that we don't use the ‘cloud,’ where the data are centralized somewhere else, like other vendors. We offer a 'personal cloud' solution where they OWN the data and they OWN the server, but it's maintained and made secure by us. Their data isn't sitting on a machine, mingled with other practices', presenting a large target for hackers.”
Secure Physician Portals
EHR law mandates protocols which discourage hacking of such commonly used physician tools as email, texts, and voice-activated note-taking devices. The PCC platform conforms to these. Chip explains.
“Our portal and physician mobile app are developed in-house and connect directly to the EHR, yet neither one stores data locally. The patient communication goes directly to the practice/PCP. No ‘middle man’ is involved.
“I have personally used two tools (one portal, one kiosk) as an adult patient. Both served ads and one attempted to market goods and services to me. I found this offensive and it absolutely made me question what was happening with my data. PCC will never work that way, ever!”
Changes in Security with Value-Based Healthcare
This patient survey reveals deep concern about the current state of the security of health information and the technology that collects and archives it. However, healthcare is rapidly changing from a payment-for-service to a payment-for-results model – so called “value-based healthcare.” Will this change give patients more or less confidence in the health information technology? Hart did not hesitate in his response.
“It will likely give patients less confidence,” he said. “With value-based healthcare, many more organizations are going to have access to patient data. Physicians are going to be required to hand over lists of patients and conditions to payers at a much higher rate. They'll have to participate in clinically integrated networks which will track a wide range of patient-level information.
“Hackers will continue to go after applications, systems and networks that are not maintained properly. To this end, good cyber hygiene will become a common organizational management component.
“The people who benefit from hacking patient information know this and it will be up to those of us who develop EHR platforms to continue to be diligent in our efforts to help physician records remain secure,” he concluded.