Protecting Online Healthcare Records: Is it Possible?

By Evra Taylor

LegalAngle

“They’re vacuuming up your data.” That’s how a cyber protection expert recently described the growing phenomenon of health records being stolen and patient charts being hacked from web sites and sold on the black market. While the Internet used to be viewed as an impenetrable fortress guarding health data and other private information, it has now become a gateway to cybercrime.

Electronic health records (EHRs) may contain a range of administrative and personal health information, such as names, provincial health card numbers, diagnostic codes, diagnoses and test results. And from 2006 to 2012, medical and health care providers in the U.S. experienced 767 security breaches resulting in the compromised confidential health information of more than 23 million patients.

In December 2013, the St. Joseph Health System in Texas confirmed a security breach affecting the records of up to 405,000 past and current patients, employees and their beneficiaries. The attackers may have gained access to records including names, Social Security numbers and possibly addresses, along with patients’ medical information and employees’ bank account data.
One of the most egregious examples of cyberhacking occurred in 2013 when a laptop containing the personal health information of 650,000 Albertans was stolen.
Pros and Cons for Canadians

In a document drafted in 2012, entitled Protecting Privacy in an Era of Electronic Health Records, Ann Cavoukian, Ph.D., Information and Privacy Commissioner of Ontario, contrasted the promise and perils of EHRs. It included the following:

On the positive side, EHRs:

• Can facilitate the provision of more efficient and effective health care and improve the quality of care provided.

• Require less space and fewer administrative resources to maintain than hard copies.

• Can be designed to enhance privacy through access controls, audit logs, strong encryption and authentication.

• May be more complete and readily accessible by all healthcare providers involved in the health care of a patient, regardless of location.

On the negative side:

• If privacy is not embedded in the design of EHRs, they pose unique risks to privacy and the security of personal health information.

• They allow for massive amounts of personal health information from diverse sources to be collected, used and disclosed.

• Unauthorized uses attract hackers and others with malicious intent, including authorized healthcare providers who access the information for purposes other than providing health care.
Moving from bad to worse, the FBI’s Cyber Division is issuing warnings about patient charts being hacked from websites or stolen from computers and sold on the black market. Patient health information has more value to hackers on the black market than credit card numbers because it may contain prescription information for controlled substances. In addition, it potentially contains details that can be used to access bank accounts.
Looking for Answers

Regarding the Alberta breach, IT World Canada reported that according to Tony Busseri, CEO of the Toronto-based security and ID management company Route 1 Inc., the incident could have been avoided if the parties concerned had been following proper privacy and data protection policies.
Busseri cited a lack of safeguards by the Ministry of Health around its sharing of health records with other organizations such as private health centres. He also said that Medicentres, the Edmonton health clinics involved in the 2012 breach, should have a policy that prevents employees and contractors from carrying sensitive information and patient data on their electronic devices.

As often occurs, the remedies to the problem seem obvious after the fact. But until the security of electronic health records is buttressed, Canadians and Americans have reason to be concerned about sharing their personal health information.