Your Medical Data in the Cloud? Not So Fast, Says HHS Privacy Official
When it comes to electronic health records, “the switch to cloud is inevitable.” That’s according to Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT in the Obama administration, who spoke at a “Health Care, the Cloud, and Privacy” panel hosted by the Washington, D.C.-based advocacy group, Patient Privacy Rights.
Electronic health records are exactly what they sound like: A collection of health information in digital format that can include a wide range of data, from intimate details of your medical history and test results to demographic data to your billing information. Digital records are superior to physical ones because they can be transferred quickly when patients switch providers, help doctors get a complete picture of patient health, eliminate the need for redundant testing, and provide new opportunities for analyzing treatments for efficiency and effectiveness.
They are also supposed to be a cost saver. Some estimates have put the potential cost savings for switching over to electronic records as high as $81 billion annually, although the real world implementation hasn’t come close to hitting that target. Cloud storage and computing are part of this equation due to their potential to help make the transition to electronic health records more cost effective and unleash the analytics power of big data on health care information.
But while storing medical records digitally on the cloud may offer great promise for increasing the efficiency of the health care system, it is not without its challenges. Data security and privacy of health information are major obstacles where policy has not yet caught up with practice.
Whether in paper or in digital format, the privacy of health information is protected by the Health Insurance Portability and Accountability Act, or HIPAA. But the move to electronic health records and cloud storage present new security challenges some in the health care industry do not appear ready to face. The headline for a year-long Washington Post examination released in December 2012 called the sector “vulnerable to hackers” and quoted computer scientist and technical director of the Information Security Institute at Johns Hopkins University, Avi Rubin as saying,“I have never seen an industry with more gaping security holes… If our financial industry regarded security the way the health-care sector does, I would stuff my cash in a mattress under my bed.”
Even while the health care industry hasn’t been targeted with the same ferocity as other sectors, like the financial industry, those security holes are already being exploited. For example, Eastern European hackers broke into Utah’s state health records database, gaining access to personal information on 780,000 patients including some 280,000 social security numbers.
Beyond hacker attacks from afar, the sheer portability of technology has added another danger. Case in point: The privacy of 29,000 patients in Indiana was breached last week when devices with sensitive data were lost or stolen.
Yet those type of incidents are unlikely to slow the rapid move to electronic record keeping—especially with the up to $30 billion appropriated by the American Recovery and Reinvestment Act to encourage the shift. But as our risk has increased, so has HIPAA enforcement: There were 8,370 resolutions and 3,898 investigations in 2011, up from 4,799 and 1,393, respectively, in 2004. The Department of Health and Human Services recently made its first settlement enforcement on a small breach of fewer than 500 individuals’ privacy, signaling even tougher enforcement may be on the way.
In her closing comments, Pritts noted that with regards to cloud computing and general security of electronic medical records “the technology, the movement, and the practices are way ahead of the policy.” And it’s clear she’s right: Even beyond the obvious software-vulnerabilities perspective, our policies with regards to health privacy are woefully out of date.
For instance, HIPAA penalties focus on punishing disclosure and breaches of sensitive data collected by health care providers and insurers—but there are few protections against opportunistic data collection on health information from non-HIPAA sources. This is a pretty glaring hole considering that data miners can essentially create a health profile of almost anyone by collecting information from online postings, or pharmacy purchases, or both.
Of course, this hardly makes the privacy protections for electronic medical records unique. From copyright law to the privacy of personal communications, our laws are consistently unprepared to handle how technological innovations change our society. Remember, the federal agents can read most of your emails without a warrant because the law governing access hasn’t been updated since 1986. But in the case of electronic health records and cloud computing, the opportunity to modernize our systems and the policies governing those systems could have a truly beneficial impact on the control patients have over their own health data.
Andrea Peterson is the Social Media and Analytics Editor at American Progress. Image credit: Big Stock Photo.
Comments on this article