Data breaches at large retailers like Target and Home Depot get most of the media’s attention, but the one piece of electronic data most prized by hackers is your medical records.
A patient’s medical history, captured in an electronic health record, could give a hacker access to your credit card, which would be similar to the Target breach. But your electronic health record also could provide a buyer on the dark web with the insurance information for fraudulent billing. Or, if the information is sensitive, it could be a source of blackmail.
That’s why electronic medical records bring top dollar on the black market. And that, combined with new technology, is why medical offices and health providers must be on alert.
“If it was only the electronic medical record, locked down in a hospital in a server room, that would be easier for us to protect,” said Scott McClintock of Clearwater Compliance, the Texas Hospital Association’s consultant on cybersecurity. “But these EMRs are connected via all sorts of other devices, whether it’s a doctor who has a mobile phone with an app that goes into the health records, or a smart infusion pump that is transmitting data to the cloud or even a laptop that the doctor or nurse could be using.”
That means each link in the chain must be protected, from the office kiosk to the laptop to the hospital. Every device, connected to a chain of other devices, presents a risk, McClintock said.
Malicious attacks by hackers exposed the records of more than 450,000 Texas patients in the last year, according to Health and Human Service’s breach portal, often referred to in the industry as the Wall of Shame. More than half those records came from a single ransomware incident in January 2017 at Urology Austin.
Moving to electronic records
Dr. Ogechika Alozie co-chairs the Texas Medical Association’s Health Information Technology committee. TMA’s biannual survey indicates almost 80 percent of Texas doctors have moved, or intend to move, their paper files to electronic medical records, a move that was incentivized under the Affordable Care Act.
Over the last six years, the question from physicians has moved from, “Why should I be doing this?” to “Why doesn’t this EMR do more things?” Alozie said. Physicians not connected to large hospital networks find the current technology perfunctory, at best.
“My analogy is our EMRs still basically act like the brick cell phone,” Alozie said. “We’re used to the form, factor and technology of our iPhone, our Samsung 9, right? We’re used to everything being easy one-touch smooth. There’s no EMR on the market that works like that.”
Physicians, in general, don’t want to be struggling with the functionality of their technology. The ability to use technology seamlessly is important as the patient’s health-related phone apps evolve and the industry pivots to rewarding value-based care.
“If you can’t capture my measurements efficiently and seamlessly so I don’t see it, then there’s a problem, because I’m doing more work to give you that information,” Alozie said. “You don’t want your physician to be the highest-paid secretary in the office.”
Value-based healthcare pays for healthy outcomes. But it’s hard to gauge health improvements without data, which is why the Integrated Care Collaborative was created. ICC created the health information exchange that allows all the assets under Central Health’s umbrella to communicate with each other and other health providers in the region.
Central Health, Travis County’s healthcare district, warehouses much of the data that is exchanged between clinics, non-profit organizations, the Dell Seton Medical Center and even the Sendero health plan operated by Central Health. That requires a high level of confidence in a strongly interconnected healthcare system.
“For the people on my team, the fundamental part of their job here is to ensure that we have both network and file security,” said John Clark, chief information officer of Central Health. “It’s a way to know that everything in our environment can be trusted.”
The security of an increasingly complex system does not necessarily require more people working for Clark, but it does mean a broader, deeper knowledge of IT security: file, server and network.
“You have to be constantly auditing your environment for security vulnerabilities and then take steps to mitigate those vulnerabilities,” Clark said. “The best thing we can do is be proactive.”
The network of healthcare options in Austin has grown substantially in recent months due to passage of a telehealth bill last session. Patients now have access to services like Teladoc and established healthcare providers such as Austin Regional Clinics are offering supplemental telehealth services as a premium benefit.
Nora Belcher of the Texas e-Health Alliance says telehealth sessions are just as secure as walking into a doctor’s office. That was a given during bill negotiations.
“Sometimes I think there’s a little bit of a disconnect about telemedicine, like, where does it fit into the regulatory structure,” Belcher said. “And the answer is pretty simple. It’s just medicine. All the rules still apply. You have to make sure you use an encrypted system. You have to make sure sessions are secure. You can’t just text data over T-Mobile because that’s a HIPAA violation.”
Telemedicine once required a cart full of gear to make sure sessions were secure, Belcher said. Now a lot of it can be done over a commercial platform and Bluetooth. And that technology will soon hit a far larger audience, as secure communications and data sharing evolve between doctor and patient.
“Here’s my prediction,” Belcher said. “In another two years, every new mom is going get a Bluetooth otoscope at her baby shower because we all know babies only get ear infections in the middle of a Saturday night.”