The observers currently weighing in on health IT security and privacy include American Health Information Management Association (AHIMA) president Rita K. Bowen, who in an otherwise fairly well reasoned article appearing online in the Huffington Post yesterday somewhat surprisingly seems to argue that some concerns over security and privacy and electronic health records are overblown, and that security and privacy protections are actually very strong:
"The new generation of electronic health record (EHR) software systems are equipped with multiple security and privacy layers that make it virtually impossible to gain unauthorized access to any single patient record, and are less enticing to hackers than any paper-based record system out there. These same systems must also pass strict government-authorized certification standards that include a long checklist of criteria to ensure that they are compliant with existing HIPAA and security measures."As well-intentioned as these statements might be, they rely on assumptions that are not well-supported by available evidence (including the steady stream of health data breaches now posted publicly by HHS) and therefore undermine the credibility of her overall argument. Bowen's comment about the strong user authorization controls may apply in some cases with some systems to prevent access by unauthorized external attackers, but very few systems provide the sort of fine-grained access control (or logging of read access to patient records) to keep health care insiders from gaining access to any records they want to see. It's also hard to see how paper file records even in a large practice or facility would provide as attractive a target for personal health data theft as the hundreds of thousands or millions of electronic health records that might be technically accessible through interoperable networks of health records and associated information.
The last point is the most misleading, as in the current health technology environment, vendors are not required to submit their products for testing or otherwise certify the existence or the effectiveness of their security measures, although the EHR system and module certification program under meaningful use is a small step in that direction. Compliance with HIPAA safeguards is mandated by law for HIPAA-covered entities (and soon, thanks to HITECH, for business associates and contractors and subcontractors as well), but actual compliance has been voluntary, with enforcement (in the form of HIPAA audits and, where violations are proven, penalties imposed on violators) limited to those entities about which complaints have been filed with the government. With any luck, the market opportunity for EHR vendors presented by meaningful use incentives will result in most or all of these products undergoing certification, but the certification process is only intended to demonstrate conformance with meaningful use standards and criteria, which fall far short of all the safeguards associated with the HIPAA Security Rule.