Wanted: A cure for medical data breaches.

Ed Gaudet
Feb 02, 2012

The New York Times recently ran an article based on a HIStalk Practice post which chronicled a data breach at the Massachusetts eHealth Collaborative. Data breaches in healthcare are certainly not new. Most data breaches today occur when electronic patient information (known as “protected health information” or PHI in the HIPAA regulation) is stored unencrypted on a device that is lost or stolen. All of the data breach laws in effect today state that as long as the data or device are encrypted, there is no data breach and therefore no liability or legal remedy. So if it’s that easy, why do the number of breaches in healthcare continue to grow at alarming rates?

Performance-based care delivery requires electronic records: Healthcare, which today accounts for 17% of our nation’s annual GDP and growing, is plagued by escalating costs driven out of an inefficient pay-for-services model: the more medical services ordered, the more revenue (and costs) generated. To get control of costs, Healthcare is moving from the transaction-oriented pay-for-services approach to a data-driven, pay-for-performance model. To this end, U.S. healthcare providers are rapidly transitioning from the inefficient world of paper to electronic-based care delivery, with the digitization of patient records at the core of this $2.6 trillion industry’s transformation. Given advancements in mobile technology and telemedicine, over 90% of the world’s healthcare will be delivered using electronic medical records within the next 5 years. At these rates, we can expect to see the number of reported breaches to be even greater next year, after rising an astonishing 32 percent in 2011 according to the Ponemon Institute.

Current technology approaches are failing: Many of the electronic medical record (EMR) applications were designed using older, client/server technologies which often persist data on the local PC or device leaving it vulnerable to a breach. With patient information stored on PCs, laptops, mobile smartphones and other devices, healthcare providers must encrypt every device at an average three-year cost of $300 including software license and labor costs (An example project can be found here: http://medschool.ucsf.edu/isu/som-laptop-encryption/). Next-generation approaches such as virtualized computing are being adopted to provide a better, more cost effective solution that eliminates the need to store PHI directly on the endpoint and enables access whenever the data is needed from a variety of devices. All of the applications and data used are kept on the server and run centrally, enabling cheaper hardware such as thin clients or personally-owned devices such as Apple iPads. Combined with strong and cost-effective access management, authentication and single-sign on, virtualization offers a fast, secure and highly-mobile solution for care providers which enhances the emerging model of care delivery.

This is an exciting time for Healthcare providers and professionals. Never before has an industry experienced such a rapid transformation driven by new technologies, economic models, and government incentives. Advancements in secure access and virtualization will not only improve the adoption of electronic medical records and workflow efficiencies, but have the potential to eliminate data breaches all together. There is too much at stake to let our Nation’s Healthcare system fail.