Healthcare is an important part of our lives, and as the sophistication of treatments increases, so does the complexity of our records and the data that is created around that. The data in healthcare is becoming more and more open to vulnerabilities. There is not only an over reliance on IT technology without proper security for record and data keeping, but also an under utilization of IT in providing up to date health care. How do we strike a balance between getting the right healthcare to patients, and protecting the privacy and the data that is collected?
The United States government is attempting an ambitious project to transform their health care records in the Defense Department. They are offering up an $11 Billion contract to help them modernize their electronic health record (EHR) program. The IT systems that control and protect the health care data is greatly outdated and requires sever modernization. As part of this modern overall, a large amount of digitization is required. This is when the paper records that are kept are transferred via scanning systems into their digital equivalent.
Privacy & Security
Healthcare policy makers are beginning to get worried. A recent research paper that was produced from the International Journal of Applied Information systems reviewed the previous attempts to improve and update privacy and security in EHR systems. The results were not good. If the patients that use the health care systems, believe that their data and privacy could be compromised, they are reluctant to take treatments on offer. Privacy and security are 2 different challenging concepts. Privacy is about how your information is used and accessed by third parties, and what is done to that data, that might not be of your wishes, while security is the accessing of the information in the first place from an unidentified external source.
The U.S. Department of Health and Human Services and the Health Insurance Portability and Accountability Act (HIPAA) were examined to have suffered nearly 1000 breaches from 2010 to 2013. This affected the data of more than 29 million individual health records. It was discovered that more than half of these security breaches came from the theft and loss of laptops, and also USB flash drives. There was a small loss of paper records that made up the data loss to, so it wasn’t just a breach of security from the new technology that made up these serious issues.
Hacking into records represented less than 1/3 of all the breaches taken place. Dr. Vincent Liu from Oakland California stated that although the problem of security and privacy is not unique to the healthcare industry, the data could not be changed once it had been compromised. This still won’t be reassuring for those that have detailed health problems on record. The case for pseudonymization of records remains strong.
A big conundrum in healthcare and many other industries is who actually owns your data. In health care there is the traditional approach to data accessing health records which would be provider or hospital based. With the provider based approach, access control is used as the method for enforcing patients privacy. This is when the request for information is granted or denied on a case by case basis. There is also the Role Based Access Control (RBAC) approach which offers different degrees of access to different people based on their role in the patient care. Due to the complexity and ever increasing levels of healthcare this approach has been given the impractical thumbs down.
Personal Record Keeping
There is another approach that is considered more revelountary, for todays security paranoid world. A patient centric approach with a system of patient controlled encryption (PCE) at its heart. The patients would be in charge of generating and storing encrypted their own medical data on keys, such as mobile devices or cryptographic key tokens. This approach has been criticized though for the time consuming and critical difficulties that would take place if the data key could not be accessed on time in an emergency for example.
With the future of data keeping becoming more and more automated via specialized systems, its becoming easier than ever before to see the loopholes and lack of security in certain approaches. Time will tell if we can build a system that will not only respect our privacy, but will be make that privacy the very core of its approach.