Will hackers create CPR mayhem? Neglect high-tech security at your peril
Will hackers create CPR mayhem? Neglect high-tech security at your peril
Guard your computerized patient records
As more and more hospitals put their medical records on line and form health information networks, the amount of information to assist in the care of patients is increasing every day. But with this computerization come risks that often are overlooked by hospitals, including threats to patient confidentiality and the integrity of the medical record.
Putting your medical records on line without proper security precautions is asking for trouble, risk management experts and computer security experts warn. This is true despite the pressure hospitals are facing to vertically and horizontally integrate. The electronic infrastructure needed to support system reorganization is a market imperative. But don't let that pressure supersede the necessity for appropriate security controls. If you do, you're playing with fire.
Take, for example, an incident that occurred last year in a Florida-area hospital: The teenage daughter of a hospital clerk used a hospital computer to print out the names and telephone numbers of patients who had presented to the emergency room the previous weekend, according to newspaper reports. Using the list, the girl called several of the patients and, posing as a hospital employee, told them that they were pregnant or HIV-positive or in some cases, both. The information was false. One patient attempted suicide.
While the story may be an extreme example of what can go wrong, it underscores the need for risk managers to ensure that their computerized medical records are secured and that the integrity of the information contained in the records is not put at risk.
Ensuring patient confidentiality is one of the biggest issues facing health care risk managers, says Diane Drewes, RN, MA, risk manager of the Lahey-Hitchcock Clinic in Bedford, NH. The Lahey-Hitchcock system has three hospitals, more than 900 doctors, and 50 satellite facilities in Vermont, New Hampshire, and Massachusetts.
Like other risk managers, Drewes sees how easy access to medical records and information benefits health care providers, yet she is struggling with how to strike the correct balance between accessibility and security. Even web sites carry their legal issues. (For more information, see related story, at left.)
"This is the '90s. In a lot of circumstances, electronic records are much more convenient for providers. On the other hand, there is always a chance that someone can break into them," she points out. The Lahey-Hitchcock Clinic already has its lab reports, office notes, and appointment schedules on line, and it is continually putting more and more of its records on line. Overall, health care systems recognize the critical imperative of automating records; achieving both paperless and secure systems will take more time.
"The industry has a lot of room for improvement," says Dale Miller, president of Irongate, Inc. of San Rafael, CA, a firm that provides information security consulting for health care organizations. "The real measure should be how they are securing the information compared to the sensitivity of the information they are handling. On that scale, health care organizations have quite a ways to go."
Computerizing medical records does not necessarily mean that your records will be more secure, points out Alice Epstein, MHA, FASHRM, a consultant with CNA HealthPro, a health care systems consultant in Durango, CO. "The risks are different with computer records than there are with paper ones."
Also, recognize that computerizing the record does not solve fundamental medical record obstacles. "If you already have a problem with completion of medical records, for example, it will not go away just because it is on the computer," Epstein says.
Know the risks
Understanding the threats to the security of your institution's electronic medical records is the first necessary step to preserve confidentiality and integrity, risk management experts say. Also, take specific steps to ensure confidentiality. (See related story, p. 111.)
Threats can be internal and external. While the news media often play up the role of computer hackers, internal threats are the greatest risk for health care organizations, Miller says. Here are examples of each:
* Internal threats.
These come from inside the organization and can affect the confidentiality and integrity of the records. Internal threats can be as simple as a bored employee looking up the medical records of a fellow employee, or as serious as having an attending physician unintentionally deleting information from a patient's record on a computer.
* External threats.
These surface from a variety of sources, including computer viruses, hackers, and vendors who install disabling software, says Diana J. P. McKenzie, JD, a partner at the Chicago law firm of Gordon & Glickson. McKenzie heads the firm's health care technology practice.
Another key issue is data destruction, which often is overlooked as a risk that can accompany computerization of data. While state laws vary on the permissible forms of medical record storage, risk managers should be aware that technical and legal issues can arise when electronic data are destroyed, McKenzie says.
Hospital officials must ensure that all data are fully destroyed, including the actual file and any backup files. More importantly, the destruction must be done to ensure patient confidentiality, McKenzie says. If vendors are destroying your files, the risk manager should make sure that their contracts include risk allocation and confidentiality provisions, she suggests.
Other risk management threats that increase with electronic medical records and health information networks include power failures, transmission errors, and hardware failures. Risk managers need to be aware of these risks as threats to patient care and include alternative ways to access and update patient information in the event a system breaks down or is inaccessible. *
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.