As the Obama administration pushes ahead with plans to increase the use of electronic medical records, two internal reports released Tuesday by the Department of Health and Human Services revealed “significant concerns” about security gaps in the system.
The Office of the Inspector General found “a lack of general [information technology] security controls during prior audits at Medicare contractors, State Medicaid agencies, and hospitals.”
The investigation audited computer security at seven large hospitals in different states, and found 151 major vulnerabilities, including unencrypted wireless connections, easy passwords, and even a taped-over door lock on a room used for data storage. The auditors classified 124 of the breeches were “high impact” – resulting in costly losses, injury or death. According to the report, “outsiders or employees at some hospitals could have accessed, and at one of the seven hospitals did access, systems and beneficiaries’ personal data.”
The hospitals were not identified for security reasons, but were located in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas.
Deven McGraw, the director of the health privacy project at the Center for Democracy & Technology, told the Rundown the report was a “wake up call to the health care industry,” adding it “shines a spotlight on the need to light a fire under both the regulators and the health care industry that this is a serious issue.”
Health records contain vital personal information – a person’s name, birth date, address and social security number. All of that can be used to construct a false identity, or collect fraudulent Medicare charges. Health records also contain details about medical treatment, and some worry that information – particularly mental health treatment – could be used against them in their career. And in the case of celebrities, the risk is information could be sold to tabloids, as was the case with Britney Spears and Farah Fawcett at UCLA’s Medical Center in 2008.
Fixing the security loopholes mainly falls on the Office of the National Coordinator in HHS, which sets standards, and the Office for Civil Rights, charged with guarding the privacy and safety of medical records. McGraw said one key fix is updating security provisions in HIPAA* laws that have not kept pace with technology.
In theory, electronic medical records will streamline a patient’s medical care by reducing paperwork, increasing efficiency and improving outcomes.
President Barack Obama has championed health information technology, and set a goal for every American to have a secure electronic medical record by 2014. That was part of his administration’s “first wave” of health reform in the American Recovery and Reinvestment Act, passed by Congress in February 2009. Beginning this year, health care professionals who effectively use electronic records can each receive up to $44,000 over five years through Medicare or up to $63,750 over six years through Medicaid.
And, beginning in 2015, facilities that don’t have the system fully in place will be penalized by lower payments from Medicare and Medicaid.
“Today, in almost every other sector besides health, electronic information exchange is the way we do business. A cashier scans a bar code to add up our grocery bill. We check our bank balance and take out cash with a debit card that works in any ATM machine.
“But despite the clear benefits of health IT, only two in 10 doctors and one in 10 hospitals use even a basic electronic record system.”
In March, the Washington Post’s Lena Sun reported on why so many doctors remained wary of making the switch. Physicians she spoke to worried about not only privacy, but the cost of the transition – even with the government incentives.
McGraw said addressing security concerns outlined in the report is crucial to moving health reform forward. “We need this to happen,” she said, and we can’t achieve the goals of reform “without digital healthcare records.” McGraw added, “at the same time, as the public starts to significantly mistrust their data in these systems, they will not willingly participate and won’t support public funding to these initiatives.”
– A misspelling in this acronym has been corrected.