Digitized medical records are easy prey, but all is not lost
Christopher Burgess on writing a new prescription for health data trust.
By George V. Hulme
August 01, 2011 — CSO —
Wherever money and information flow, so do the bad guys. And with estimates that the Electronic Medical Record (EMR) and Electronic Health Record (EHR) market in the U.S. will reach $6 billion by 2015 -- according to the research and consulting firm MarketsandMarkets -- it's no surprise criminals are paying more attention. Also no shock is that as more records are digitized, there are many more breaches involving patient data. This is not unlike when vast credit card breaches quickly followed the rise of e-commerce in the early part of the previous decade.
CSOonline has been staying on top of the health care security issue, including what health care organizations are doing to protect their customers' data and the rising risk of medical identity theft.
Also see: Healthcare security in intensive care
Christopher Burgess, frequent author on IT security subjects and member of the External Advisory Board for the Mayo Clinic Center for Social Media, recently published a blog post, Patient Data: The Crown Jewels on the Mayo Clinic's site that provides recommendations health care providers can use to better secure their patient data. We took the opportunity to discuss the state of health care data security with Burgess as it relates to current trends, cloud computing, physical security and criminal motives.
CSOonline: When looking at the types of breaches health care organizations have suffered, they don't look like sophisticated hacks. Many of them, such as hardcopy breaches, stolen systems, and lost thumb drives all look avoidable.
Burgess: That was one of the reasons I wrote the piece. My feeling was that this level of data loss and the manner in which these records were lost are basic blocking and tackling in the protection of data arena. I would venture to guess, though I didn't do any research on this, that most if not all of the entities that lost their data were HIPAA compliant. As I said in my piece, and as you and I have said many times elsewhere, being compliant doesn't mean being secure. It just means you're compliant to a level, and I have to say that HIPAA absolutely raised the tide and put in a modicum of security. But the secure practices need to be ingrained in everyone handling medical records. With digital records, folks lock their offices and they chain down their computers, but a bolt cutter can steal their computer. But if the data isn't protected within that state, then if you lose all your servers, what have you lost? You've lost all your customer data. And take this to the next level. What about those entities that are outsourcing to a cloud storage environment, their data records or their patient data records? How are they being secured in that environment? If that entity is breached, it's not just one organization's list of patients, but potentially dozens or hundreds of organizations.