“Paper is an insecure form for storing patient data, which is at best locked behind doors or within file drawers,” says Stephen Moulton, director of product development for Innovative Card Scanning, a developer of scanning devices and software for hospitals and practices. “Paper can be copied, stolen, taken without you even knowing it, as well as lost or misplaced, which could give you the feeling that it was stolen if it is out of your control or possession.”

Thomas Weida, medical director of the University Physician Group at Fishburn Road in Hershey, Pa., says that in his previous paper-based office, he recalls an instance in which a file clerk easily pulled a specific paper chart she was unauthorized to view — her ex-husband’s. The practice fired the employee when it learned what she’d done, but not before she shared the stolen information with others. Of course, the practice also had to inform the ex-husband about the incident. Certainly, this was nothing to call a press conference about, but it was a privacy violation for which the practice was responsible, nonetheless.

“From my personal experience,” says Weida, “the protection for inadvertent or malicious access to charts is better electronically than it used to be when we had paper charts. With paper charts, anyone could go to the chart rack, open it up, and look at the full chart. If they were really slick people from outside, they could throw a stethoscope around their neck and put on a white coat and flip through records. … I would say that the information is more secure now than it was before even though more people have the potential to access it, and that’s because we can track every access.”

Electronic charts may be better protected than paper, but they’re hardly failsafe. Indeed, Weida reports that his current practice, which uses an EMR, also experienced an incident in which a woman snooped through her ex-husband’s medical records. In this case, recalls Weida, “the initial excuse was that she needed his new address. But our IT department was able to look at that record, realize that she opened it more than once, maybe about five or six times, and also realized that she was not just opening demographic data. She was terminated. We have a very strong policy on that here. You only get one strike, and you’re out.”

One significant difference between the incidents: The EMR-based practice didn’t have to find out through the grapevine about the security breach or launch a he-said/she-said investigation. The computer kept a record of each accessed file. Another difference: The EMR practice was able to implement additional security protocols to prevent further breaches.

The office network now has a built-in mechanism to ensure that only those authorized individuals can view sensitive patient information.

The bottom line: Both paper and electronic charts are vulnerable to theft or loss. But while paper records carry their inherent vulnerabilities, a stolen or improperly accessed laptop can reveal much more patient data than a single paper file. Although the healthcare industry has in general been slower to adopt new technologies, the electronic age has dawned, and there’s no turning back. You can no longer operate an efficient practice without some type of software containing patient data. And like most new technologies, these capabilities bring with them new opportunities for criminal activity.

An ounce of protection

Still, most people give little thought to the consequences of stolen hardware until it happens to them. When Mark Anthony LaPorta, an internist in Miami, purchased a software-based theft protection service for his new laptop a couple of years ago, it was little more than an afterthought. His fancy new computer cost him $2,000, and paying an additional $105 for three years’ theft protection seemed to make sense. “I was going to be carrying a big brand-new laptop around,” says LaPorta, “so I thought, ‘Let’s protect it and see what happens.’ I’m amenable to that sort of thing. … I thought ‘Oh well, after three years, I’ll forget about it; nothing will happen.’”

Turns out he didn’t have to wait long before something did happen.

A few weeks later, while traveling on a speaking circuit, LaPorta received a call from his local police, informing him that his house had been broken into. He was told that nothing appeared to be missing, but when he returned home he discovered that the shiny new computer he had left sitting on his coffee table was gone.

So LaPorta reported the theft to the vendor of the Computrace LoJack software he’d purchased. At that point, the vendor placed Computrace’s monitoring center on alert for the missing computer. When the thief logged onto the Internet on LaPorta’s stolen laptop, the computer “called” the monitoring center every 15 minutes, allowing Computrace to track its whereabouts.

A week later, LaPorta received an e-mail from his vendor telling him that his computer had “called home.” Computrace’s own “recovery team” was activated and worked with LaPorta’s local law enforcement and his Internet Service Provider to obtain the necessary subpoenas and warrants to apprehend the thief and recover the computer. A few days later, LaPorta’s vendor restored the stolen laptop to the police station in his home town. All he had to do was pick it up.

When LaPorta booted up his retrieved laptop, none of his data was missing: “The software I purchased puts itself on the hard drive, buried down deep inside of the computer, so even if the thief tried to wipe the drive to start over after stealing it, he couldn’t.”