Healthcare moving to Cloud Computing

Joe Conn looks more deeply into the problems of ‘cloud’ computing for the storage, exchange, and analysis of health data. See his article in Modern Healthcare: ‘Healthcare is slow to change’ to cloud environment

Today there is not yet a trusted organization to certify the privacy of electronic health records systems, whether on servers or in clouds.

Until the privacy of health data can be assured first with trusted security certification and then with a separate stringent privacy certification (proving that patients control the use and disclosure of their sensitive records) Americans will not trust that their data is safe.

Proof that consumers control personal data in clouds will be essential for trust in health IT.

So far all we have are promises of security and privacy. We won’t trust without verification .

Financial System vs. Healthcare System

The financial system is often lauded as being good at protecting Americans’ sensitive financial and demographic data, but the evidence is not so clear. Heartland had a massive breach of credit card data in its system of sponsored banks. In addition to the $12.6 million in costs, it will also have to pay to “implement end-to-end encryption when payment data is sent from the merchant to the processor”.

Will breaches of healthcare data cost any less? That is highly doubtful. The pain and exposure is far worse and there are NO remedies. The privacy of health data can never be recovered or restored. With identity theft you can eventually recover from the damage and restore your credit.

Plus its harder to protect electronic health data because there is SO MUCH MORE sensitive personal data than exists in financial systems. Payment and credit card data are just the start, everything is included in electronic health systems, from prescriptions to DNA.

And compared to the financial industry, the healthcare industry has millions more employees—-of insurers, hospitals, pharmacies, data management and data warehousing corporations, HIT vendors, and even state and federal government agencies—-who all have access to sensitive data.

See article “Heartland breach cost $12.6 million, CEO says”

A Start to Securing PHI?

Sometimes press releases for new products tell us far more about the risk of identity theft in electronic health systems than the mainstream press or trade journals.

Check out this zinger quote: “Most organizations don’t even know where their PHI is.” Why doesn’t the mainstream press tell the public that the health care organizations (like hospitals) have no idea where all their sensitive personal health data resides?

How about this: “The software (Identity Finder) automatically finds PHI such as social security numbers, medical record numbers, dates of birth, driver licenses, personal addresses, and other private data within files, e-mails, databases, websites, and system areas. Once found, the software makes it simple for users or administrators to permanently shred, scrub, or secure the information.” Emails? Who sends drivers license numbers, SS#s, and Dates of Birth in emails? Clearly lots of healthcare organizations do.

We can only hope products like this sell.

See full article at:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/05-05-2009/0005019328&EDATE

Is not just celebs who need strong security and privacy for PHI

‘Smart’ EHR software designed for security, privacy, and compliance with the law and ethics, would allow only those who have your informed consent to access your records. Staff and employees who carry out the orders of your attending physician could access your records under the informed consent you give your physician, by electronically affirming they are part of your treatment team. Instead of primitive, legacy EHR systems that allow 10,000 hospital staffers or employees access to your records, in a ‘smart’ EHR system only the 100 or so directly involved in your treatment could get into your PHI, preventing 9,900 snoopers’ eyes from seeing anything.

Is not just celebs who need strong security and privacy for PHI–what about women whose abusers work for hospitals? What about all the minor local celebs? Do you want your nosy neighbor who is a clerk to be able to read your records?

Stepping up employee snooping via retroactive audits is EXTREMELY expensive (major hospitals have to have large technical staffs to be able to audits millions of accesses looking for those that should not have occurred). ‘Smart’ consent technologies exist. Retroactive audits for improper access are like looking for needles in a haystack UNLESS you are Nadya Suleman or some other celebrity whose EHR is being actively watched. Why not keep the horses from getting out of the barn in the first place?

Refer to COMPUTERWORLD story: “Kaiser fires 15 workers for snooping in octuplet mom’s medical records“.

Missing Laptop Keeps Firm From Registering New Fliers — by Joseph Galante

Verified Identity Pass (Clear), a firm that specializes in keeping fliers sensitive personal information secure, doesn’t encrypt data and had a laptop stolen. Do you think your sensitive health information is any safer in the healthcare system? ….Remember the stolen NIH laptop that had unencrypted data? What about your local hospital? Will your local hospital do a better job than UCLA Medical Center in keeping snoops out of your records?

Here’s what Verified Identity Pass says about security and privacy. They had an audit by Ernst and Young, but apparently it didn’t mean much:

Clear’s Commitment to Privacy

“Since our founding in 2003, we have been committed to the privacy and security rights of our members. We have created an exhaustive privacy and data security program and we will always clearly communicate any changes to that program with members.

We are committed to the transparency of our privacy practices and that’s why we have instituted open, independent checks on our privacy promises, including an independent and public security and privacy audit, the appointment of an independent privacy ombudsman, and an unprecedented Clear Identity Theft Warranty.

In June, 2007, Ernst & Young LLP concluded a comprehensive, independent audit of our privacy policies and practices. This was the first ever independent privacy audit conducted for a national registered traveler program.”

View Full Article