When former President Bill Clinton underwent heart surgery at New York's Columbia Presbyterian Hospital last September, several pairs of prying eyes tried to get a look-see at his record. According to the New York Daily News, 17 hospital workers were suspended for attempting to access Clinton's file, including a doctor, several supervisors, a lab technician, and a number of clerical employees.
The incident is more than a testament to the power of celebrity; it's also a reminder of the hazards of online health technology, which go hand in hand with its benefits. Few of the suspended workers at Columbia Presbyterian would have been able to access Clinton's file if it had not been conveniently stored in the hospital's electronic health record (EHR).
Like a host of other e-health technologies, the EHR is credited with making hospitals -- and a growing number of physicians' practices -- more efficient and better able to provide high-quality care. But e-health technologies also make the private information they're built to transmit more vulnerable to disclosure, whether by curious insiders, by accident, or at the hands of professional hackers.
And it seems the healthcare industry is especially vulnerable.
"If your bank had the same security precautions as your hospital or doctor's office, would you keep your money there?" asks Clyde Hewitt, a security consultant with CTG Healthcare Solutions.
The question is meant to be rhetorical but the fact is, most physician practices simply haven't put a lot of thought into security. Experts say that's true even though practices must meet the security requirements of the federal HIPAA rules beginning in April.
Following on the tail of HIPAA's troublesome privacy regulations, the security rule says you must implement safeguards to protect the confidentiality, integrity, and availability of any patient data that is either stored in an information system or transmitted electronically.
Even so, the vast majority of physicians are woefully unprepared to meet the HIPAA standards, according to a 2004 report from URAC, a nonprofit accreditation group. URAC's security audit found that just three of more than 300 healthcare organizations they surveyed had a comprehensive security program in place. One reason, healthcare consultants suggest, is that practices that don't offer electronic services such as online scheduling or e-mail consults feel they're safe from the Internet's many security risks.
But are they?
Beware of spies
"I think doctors are deluding themselves if they believe they're safe just because their patient database isn't online," says Wayne Haber, director of software development for SecureWorks, one of a growing number of Managed Security Providers (MSPs) that handle security for large healthcare organizations, banks, and utilities. "If they have an Internet connection for Web browsing or e-mail then their information is exposed. Hackers only need one way in."
David Kibbe, MD, director of the Center for Health Information Technology at the American Academy of Family Physicians, warns that the millions of viruses and spyware programs -- to which Web users are often duped into exposing themselves -- pose a far greater danger to physician practices than directed attacks by individual hackers.
"It's difficult to get physicians, particularly in small practices, to pay attention to security," says Kibbe. "But they'd better get interested in protecting their LANs [local area networks] from worms, viruses, and malicious insults to their computerized systems because they can cause them enormous problems, from damaging the integrity of the data they use to causing downtime and delaying treatment, even impacting clinical care if they can't get the data they need when they need it."
What you can do
Thankfully, physicians can take measures to protect themselves, their patients, and their practices without spending an arm and a leg. Most of the measures suggested by security experts call for investing time, not money. By following them, you'll get the added advantage of meeting most of HIPAA's security regulations.
First, consider that many of your security headaches may already have been cured by your IT vendors. Security experts stress that modern operating systems such as Windows XP and Apple's OSX come with sophisticated firewalls and virus detection built in. And many Internet service providers (ISPs), especially those catering to physicians, take strong security measures.