Some days I feel like a health care sector Paula Revere spreading the warning, “the breaches are coming, the breaches are coming!”
I just saw this commentary on HealthNewsDigest.com by Eric Demers, the senior vice president of health and life science at MEDecision:
…. We shouldn’t allow overreactions to misperceived weaknesses in EHR security to thwart progress. It’s too important for the healthcare system and, ultimately, the American economy. It becomes a matter of what’s more dangerous: the potential misuse of information or simply not using information at all? Is the privacy of an overwhelming minority of people more important than safer, more efficient, more affordable and potentially life-saving healthcare for the overwhelming majority? Frankly, only the highest profile members of society (celebrities, athletes, etc.) stand to actually be negatively impacted by an unlikely EHR privacy breach. With that in mind, the question of whether we value the privacy of information more than its potential to help us lead healthier lives takes on a much more compelling perspective.
“Overreactions?” “Misperceived weaknesses in EHR security?” “Overwhelming minority of people?” Has he not been paying attention to breaches in the health care sector even before we get to EHR services? Has he not read all the surveys showing that the majority of people are concerned about privacy and security of their personal information?
The new FairWarning report showed that snooping on family and neighbors is probably much more prevalent than has been reported. And those problems will just transfer to EHR when staff has access to the login for a patient’s doctor and uses it to snoop. It is not, despite his claims, just a matter of high-profile people who are likely to be targets of snooping. Those are just the cases that are more likely to be detected and reported in the media.
He also writes:
No EHR is going to come with guaranteed safety, but I would argue that the risk level is the same or less than that associated with online retail and banking transactions. The public needs to understand this.
Then again, the risk level might be greater because EHR services may not invest as much in security as the financial sector. And relying on EHRs is also risky when you consider cloud outages, as are now being documented by www.cloutage.org. Relying on EHR in a “life-saving” situation is risky if you lose your Internet connection or the service itself has an outage. Could such services be unavailable under the weight of a DDoS attack? Almost certainly. Could EHRs save lives? Probably. Are they all he is cracking them up to be? I think not. Is he downplaying some very real risks in promoting them? I think so.
The flaws in the UK system should be a cautionary tale for us all. The number of snooping incidents suggested by the FairWarning report should be a cautionary tale. Extortion demands made on Express Scripts, the Virginia prescription database, and the Texas Cancer Registry should give us pause. What prevents an EHR provider from being hacked and ALL EHRs on their service being accessed or acquired by extortionists or those who would do harm? Nothing. Absolutely nothing. And while people can get new credit cards or bank account numbers, once their sensitive health information is out there, there’s no unringing that bell. Yes, EHRs have potential use, but let’s not downplay the risks to privacy and security.