Addressing Health Data Security with Today’s Devices
While the advent of electronic health data offers impressive potential when it comes to treatment and diagnosis, it brings with it a host of security issues. The issue is cumbersome and often slow-moving regulatory bodies are scrambling to keep up with the quickly changing landscape of the medical world and they’re leaving a path of semi-regulation in their wake.
“We’re really in the middle of a health information revolution”, says Andrew Gantt, a partner at Cooley LLP, leading the law firm’s Healthcare and Life Sciences Regulatory Practice. “If you look back 25 years, before the internet and wireless devices became popular, providers and payers were really the sole source of medical information.”
Back before digitized health took off—aided by ever expanding data storage and technological advances—it was clear via HIPPA laws that the provider and closely associated entities were responsible for physical patient information that came via charts, imaging, and in various other forms. In general, it was easy to control simply because there wasn’t an efficient means of sharing the information outside of physically sharing the chart.
On top security concerns, hospitals and practices are struggling with the logistical issues of converting all data and keeping up with technology. Despite research suggesting digitized medicine reduces costs and mistakes while improving patient outcome, the day-to-day of going digital is negatively impacting production, says Gantt.
Though medical facilities often have trouble seeing the long term benefits, patients are starting to see it is a basic requirement.
“People are demanding instant and accessible information in all aspects of their lives”, says Gantt. The migration to making those demands for medical needs was a natural evolution.
The progression includes things like using iPhones to transmit images, storing chart information digitally, using iPads in patient rooms, wireless medical devices, and even transmitting diagnostic images from office to office via the internet. All of these technologies aid in the speed and accuracy of diagnosis and patient treatment, as well as lessening the chaos of the medical field. Further, having the information at your fingertips at all times is appealing to the patient.
Information available in the cloud allows for research companies to mine the data and distill vast amounts of material into reports about particular diseases that the individual provider wouldn’t be able to produce, says Gantt. Plus, they’ll be able to look at outcomes of treatments to assess how well the care being provided is working and establish better treatment protocols.
Despite all the positives, the problem of security and who is responsible for maintaining that security remains.
In an attempt to regulate and monitor eHealth information, the government added HITECH to the HIPPA regulations to little avail.
“HIPPA and HITECH are meant to secure data, but, ironically, they reflect an old regime in their rigidness and they need to be more fluid”, says Gantt. “We’re behind the curve in terms of regulation for wireless and eHealth.”
As it stands, healthcare providers and health plans are covered under HIPPA, and HITECH added the independent contractors that work with providers. Those entities are now responsible for protecting the information, which is easier said than done.
Because the regulatory body that deals with a particular type of information depends on what type of electronic health information you’re dealing with, be it medical information about children, genes, or another area, it’s often a confusing and loophole-prone process. According to Gantt, “It’s a patchwork quilt of regulation and protection, depending on the information being transmitted, and there is increasing concern over devices, which provide medical information, but are not regulated under HIPPA/HITECH.”
On the hospital and practice side, administrators must also decide if they will allow doctors to use iPads, iPhones, and other smart wireless devices, and if they decide not to, is restricting use even a feasible option at this point. If they do decide to approve devices, they must encrypt the information and create a plan for what to do if the phone is lost or stolen. Most of these plans include a remote wipe of the information, which could be considered a potential security threat if used improperly.
Despite uncertain and dated regulations, hospitals and practices are forging ahead with security measures.
“A few years ago, a lot of people wouldn’t bother to encrypt or add GPS devices to track movable equipment or have the remote capability of erasing information,” says Gantt. Now there is a significant argument for those things being a good return on investment when you consider the risk profile of what happens if you lose patient information. There are far more reporting allegations and the fallout is more significant in terms of cost and injury to reputation, so it makes security and all the safe guards a better investment.