On Saturday, Jan. 10th, I’ll be moderating a panel at the Consumer Electronics Show’s (CES) Digital Health Summit. The distinguished panel that includes executives from Dossia, Kaiser-Permenante, Microsoft and Walgreens will address the topic: Who Will you Trust with Your Health Data?
In preparation, I have been doing some research on the subject and following are a few data points for consideration:
Since April 2003, HHS’s Enforcement Office has handled over 9,666 cases that required some form of enforcement/corrective action regarding HIPAA privacy and security violations of Personal Health Information (PHI). That works out to over 1,200 cases a year.
In 2009, PrivacyRights.org reports that there were 46 breaches of PHI representing nearly 80M records. Note that 76M of those records were from the VA that inadvertently sent one of its RAID drives out for repair without cleansing it of those 76M records of veterans. If you can’t trust the government to keep your PHI safe, who can you trust?
Subtract the VA outlier and you get about 4M individuals who had their PHI breached in 2009 across 45 documented incidents or about 89,000/breach. That’s a lot of compromised records!
Also in May of 2009 we saw the Virginia Health Data, Dept of Health Professionals get hacked in which 531,000 individuals PHI were compromised and held ransom by the hackers for a cool $10M.
And let us not forget CVS who was fined $2.25M for sloppy disposal of prescription records. No one has any idea as to how many individuals may have been compromised in this blunder by a major pharmacy chain.
The scary thing about the above is that these numbers represent documented/reported cases of data breaches and it would be easy to argue that the actual number of breaches that occur in a given year is quite a bit higher (let’s remove the 76M records in the VA breach as that really is out there).
This all raises the question:
If organizations like the VA, the Virginia Health Data, Dept. of Health Professionals and some of the most prestigious hospitals in the country can’t keep PHI safe, who can?
Which logically leads to the next question…
Is there any true, fool-proof way to insure absolute privacy and security of PHI that is held by a covered entity, business associate or even an organization like Microsoft or Dossia acting on behalf of the consumer?
Yes, there are strong passwords, yes, data can be encrypted on a server but for just about every barrier thrown up, hackers have found a way to break in. Also, beyond just hackers, what is surprising is that a number of the PHI breaches in 2009 were done by employees who were then selling such data to others, such as ambulance chasing lawyers and tabloid magazines.
Which leads me to conclude…
Maybe the belief in absolute privacy and security of PHI is a fallacy.
As we move to digitize PHI through the adoption and use of EHRs by physicians and hospitals it is inevitable that we will see more breaches. Hopefully, the benefits that we, as a nation and citizens, accrue from the adoption and use of such digital records to better manage our health and coordinate health among our healthcare team will far outweigh the risks we will be taking in the potential compromise of our PHI.
Other sources points to similar (but somewhat higher due to different inclusion criteria) problems.
http://datalossdb.org/search?data_type%5B%5D=MED&direction=desc&order=reported_date
I agree that privacy under the current regime is a fallacy and probably impossible, but is the current regime with a single entity holding and at the same time ensuring the privacy of the information correct?
Should we as patients accept that we literally put all our eggs in just one basket? Should we retain the responsibility ourselves? Are we capable of doing so?
Interesting topic. Your discussion reminds me of the security discussion that happens around any technology. Basically, you can never secure your environment against every possible type of breach. Were it possible the government would have achieved that goal long ago.
A wise friend of mine once told me, it’s not about making it impossible for a breach to occur (since that’s impossible). Instead it’s about making it hard enough for a breach to occur that it rarely happens.
However, the only problem is that this type of security doesn’t do a good job of taking care of the human element of it all. The large breaches that you talk about aren’t really technical, but human. A human made a mistake. The technology could have prevented the breach, but the human didn’t protect it appropriately.
I think your point is good that the benefit of sharing the data far outweighs the potential for breaches.
If I can free myself on Saturday, I might stop by and heckle you.
I posted your article to my myspace profile.
So how’d the panel moderation go today? (and you had the wrong date in your article, Saturday is the 9th, not the 10th, just FYI)
John-
I think we have to resign ourselves to being unable to completely secure health data.
Maybe we can use George Church and colleagues in the Personal Genomes project as an example, sharing genomic and health data with others (this is a private opinion, not the opinion of my employer).
My wife and I had an experience where Johns Hopkins lost a laptop with thousands of EHRs on it. But at least they immediately notified us and others.
I believe this is going to be an ongoing problem, even DOD “black ops” IT have been hacked.
Along the same lines as this story, twitter.com got accounts phished a few days ago. It appears no site is safe.