There were several interesting articles involving electronic health record (EHR) security risk-related issues these past few weeks and days.
First, there was a flurry of news reports in the UK earlier this month about doctors expressing concerns involving the security of the rollout of the Summary Care Records (SCR) scheme. The SCR is part of the National Health Service's (NHS) National Programme for IT (NPfIT), the UK's late and over-budget national EHR system.
The SCR, as explained by the NHS to its patients, "... will contain important information about your health, such as details of any allergies, your current prescriptions and whether you have had any bad reactions to medicines. After that, each time you use any NHS health service, we may add details about any health problems, summaries of your care and the professionals treating you to your SCR."
A person can decide to opt out of having an SCR, which means their detailed electronic medical records would only be available at their local healthcare facilities - such as hospitals, clinics and general practitioners - that are being linked electronically.
Several local councils as well as doctors' groups are telling patients to consider opting out of the SCR scheme because of their concerns over the security of the SCR database, who has access to it, as well as the data quality of the SCRs themselves. For instance, the Londonwide Local Medical Committees have launched an advertising campaign urging their patients to opt out, while the Milton Keynes Council has decided to remind local residents in writing that they can opt out of the scheme.
The British Medical Association has also called for a halt of uploading patient records into the SCR database until the £723,411 report which the government itself commissioned on the security and privacy issues involved was delivered and debated.
So far, 1 million of the potential 55 million patient SCRs have been uploaded, and the UK government wants that to reach 10 million by the end of the summer.
On Monday, there was a long article in ComputerWorld examining some of the security issues facing the US effort to roll out a national EHR system over the next few years. The main point of the article revolves around the question of whether it is reasonable to expect your local physician office to possess the IT security skills needed to keep electronic medical record safe not only now but especially against future threats. Many of those interviewed expressed skepticism that doctors would suddenly turn into security mavens, which I share.
Another point in the article was that it will likely take a major EHR security breach before much real attention will be paid to the EHR (lack of) security issue. Unfortunately, I share this view as well.
Then on Tuesday, there was an editorial in the Wall Street Journal by Dr. Deborah Peel, a psychiatrist and the founder of the Patient Privacy Rights organization that made similar points as in the ComputerWorld article, but also pointed out that patients currently do not have control of the information in their electronic medical records.
Dr. Peel writes that, "Today our [the patient's] lab test results are disclosed to insurance companies before we even know the results. Prescriptions are data-mined by pharmacies, pharmaceutical technology vendors, hospitals and are sold to insurers, drug companies, employers and others willing to pay for the information to use in making decisions about you, your job or your treatments, or for research. Self-insured employers can access employees' entire health records, including medications."
She also points out that, " .. in the past five years, according to the nonprofit Privacy Rights Clearinghouse, more than 45 million electronic health records were either lost, stolen by insiders (hospital or government agency employees, health IT vendors, etc.), or hacked from outside."
What Dr. Peel is advocating, among other things, is "to insist upon technologies that protect a patient's right to consent to share any personal data. A step in this direction is to demand that no federal stimulus dollars be used to develop electronic systems that do not have these technologies."
A nice idea, but also one that I think will never gain traction in the face of all the data-miners, researchers, drug companies, insurance companies and the US government itself which sees electronic patient data as a way to both control the cost of healthcare as well as to make a boatload of money.
The UK government sees the same benefits, which is why it is pushing hard to get as many SCRs into its national database as possible. Security and privacy don't stand a chance against these forces.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.