Electronic Health Records
Electronic health records (EHRs) are touted as making healthcare more affordable and efficient. It also assists care providers – you doctor – in making fewer mistakes such as prescribing a drug that reacts with other drugs you are taking but he doesn’t know about. The 2009 economic stimulus package aims at encouraging physicians to adopt EHRs, eventually reducing the Medicare payments to those who do not adopt EHRs.
What are Electronic Health Records, why are they useful, and more relevant here, what are the security implications of using them?
The topic of EHRs is enormous and not suited to a full discussion in one blog entry. However, I can touch upon the major highlights.
Standards
Several standards groups have taken on the task of defining and standardizing EHRs. The great part is that they’ve been working together to ensure that the standards are similar and compatible. Nitty gritty details of the standards can be found in lots of places.
Why?
EHRs allow for quick transmission of all of your records between providers, including hospitals, general practitioners, and specialists. They also allow for faster and more accurate searches for relevant information. For example, the computer can let the doctor know if there is any trending information that may indicate a problem. EHRs have also been touted as a way to make changing doctors easier. Instead of having your old doctor fax your records to your new doctor, they can just transmit your EHR using any number of permissible methods. EHRs are a great idea – in theory.
Where theory meets practice
Who is responsible for your EHR? Are you required to keep a copy with you? Does your doctor keep them? What about if you visit a specialist – does he have to update your record with both you and your doctor? A lot of these decisions have yet to be made – or will be made differently for each implementation, but most of the standards address these topics.
Usability
Most doctors and clinics are still using paper for a reason: they are healthcare professionals, not IT security people – not even IT people. My husband’s father is a dentist, and relatively technology savvy – his practice uses a computer system for billing, but only because if he doesn’t, insurance companies are unhappy with him. All of the patient records are still on paper, because neither he nor any of his staff are “computer people.” They can’t fix anything if it breaks, so they keep everything as simple as possible. Do you think that any of the thousands of doctors like him know anything about security? If we’re lucky, they know enough to know that they don’t know enough to deal with EHRs, but that’s about it.
Security
One thing everyone is concerned about is the security of their EHR. Unlike physical records that only need physical protection, EHRs need both physical protection and IT (logical) protection. Doctors & clinics have the physical protection part down, but if they connect the system with EHRs to the Internet (they don’t have to), they need someone else to take care of the IT side. Some doctors may choose to hire out their IT services, but at a cost. Other doctors may just decide to not connect the machine storing EHRs to a network. IT makes the security easier, but not the exchange of EHRs.
One of the biggest security problems I foresee with EHRs doesn’t have to do with the confidentiality (although that’s still a major issue), but with availability. Doctors’ offices aren’t data centers – they may or may not have backup power. They may or may not do backups. The availability of the EHR may drive its usage. If the computer is down (for whatever reason), doctors and clinics will just get frustrated and continue on with business as usual – on paper. At that point, integrity problems may be introduced as part of the record is electronic and part is on paper.
Backups are also a concern. Even large organizations sometimes have problems with backups-either running them in the first place or restoring them when necessary. How much do we expect small doctors’ offices to back up?
The other major security issue is improper access – whether from an external attacker or from an insider. In smaller offices, almost all employees have access to the records anyway, so an insider threat to EHRs is no more threat than insider access to physical records. In larger clinics and hospitals, the insider threat becomes more of a risk.
What most people are concerned about is some nebulous hacker getting a hold of their EHR and reading or distributing it. EHRs are just pieces of electronic data, and they’re just as secure as other sensitive electronic data (like your credit card numbers…) – except they need to be in the hands of people who are not familiar with IT security.
The market is just beginning, but I could see several large companies with security people on staff offering EHRs as a service and the doctors accessing them through a web interface. It lets the big company worry about security and providers worry about what they do best – taking care of people.