No Security for Health Information
The daily stories of personal health information being stolen or lost cannot be a surprise to anyone by now. And PHI in EHRs or health information exchanges will continue to be released unauthorized, or stolen, because there's no real enterprise-class information management architecture in any of the HIE or EHR products that we know of.
In fact, the health care IT industry is riddled with very poorly designed systems from an information management and security perspective compared with, say, the world of finance. Relatively speaking, we read about almost no leakage of financial information compared with health information, especially if you compare the relative value of financial information versus health information.
If you give a thief a choice of details of 10,000 brokerage accounts or commercial bank records, versus 10,000 medical records, guess which he'd rather have?
So why do health records "go wild" so often? Because they're so easy to steal. What makes health information so easy to get to, and financial records so hard, is the very nature of the underlying technology and data access architecture in the applications and databases.
Most EHR data is in Windows-based client/server applications. These applications have direct access to the database. Once you probe that database or steal a client (Windows) that has a copy of the information, there's basically no way to protect it – encryption is a joke.
Most financial information sits on a mainframe computer in a secure data center and is stored in robust database software, which is shielded from the application by well-defined and managed transaction management software. The only way to get to the information is via a secure, managed, controlled, specific transaction. Incidentally, when there's a release of financial information into the wild it's typically because somebody thought it was a good idea to allow it to be put on a PC.
Until the health care industry adapts the same enterprise-class data architecture found in almost all financial systems, health information will be easy pickings for thieves.
And don't get me started on HIPAA, which is like parking your car at the mall with the doors unlocked, windows rolled down, keys in the ignition, engine running, full tank of gas, with a post-it on the steering wheel that reads "Please don't steal my car or you will be in BIG trouble."
This column originally appeared on Health Data Management.