IT & Society Laura Taylor
Chapter 4 Case 2 and 3
How Secure Is Our Healthcare Data?
Q.1) According to “Medical Practice Trends” loss of electronic medical records is the most common security breach concerning medical records. In May 2009, the UK National Health System lost thousands of patients’ medical records. This may not seem like a security breach to some, but it is inherently dangerous to misplace electronic files, as it is unknown when they are “misplaced” as to whether they are in the hands of someone with a nefarious purpose or merely destroyed. Even if these records are merely destroyed, it is a dangerous situation for patients whose doctors may be counting on those records for future treatment.
Q. 2.) Though ARRA has expanded HIPAA’s privacy provisions by extending privacy rules beyond the health care institution to organizations and business, which are associated with specific health care institutions, it still relies on these organizations to do their own policing. Some of the better provisions, such as requiring healthcare institutions to notify individuals of security breaches are only as good as the ability of a particular institution to maintain awareness of security problems and to act upon them in a timely fashion.
Restricting high-risk data to only those people who must have access is a good way to keep the data in segments so that either no one or a very limited number of people have the entire picture of a patient’s data. The Journal of AHIMA Articles states: “…[s]eek EHR products that offer security features consistent with their needs. EHRs must have the ability to limit access and provide screening controls to only those staff working directly with the patient or those with administrative responsibilities (such as risk management, legal, and HIM). Screening controls should include the ability to redact sensitive information that should not be disclosed.”
Q. 3.) The implementation of ARRA, while recognizing that a problem exists and working towards a solution, does not insure secure health records. ARRA looks to outside vendors and business partners of healthcare organizations as the problem in the sense that it is looking at tightening security within these relationships. Many of the problems with security breaches have been the fact that the patient is not aware until something unfortunate occurs. If the security breach is a loss of health records, then neither the patient, nor the doctor will be aware of the loss until the records are needed, which becomes too late.
The Department of Health and Human Services is depending on data interoperability and the ability of adopting measurable standards in the type of advancement necessary for EHRs. The Health Care Information Technology Standards Panel (HITSPA) is working to set and adopt these standards, but already they have issued over 1100 pages of specifications. This work could go on for a long time, which leaves the public at risk.
Security breaches of personal data will continue as long as there is information in EHRs that can be used for monetary gain. The loss of patient medical information notwithstanding, monetary gain is normally the most appealing reason for information theft. To thwart or at least have a fighting chance against this type of information theft, technology must be aligned with the needs of this kind of data. How can this data be encrypted or fragmented so that no one person has all of the pieces necessary to breach the security of the information? The key, it seems to me, should have been to create the kind of secure systems necessary to be able to have high risk personal information in an electronic form. However, as so often happens, the cart was placed before the horse, and now the government and private industry is looking for solutions to a problem it should have been more aware of from the beginning of this enterprise.
Self-policing of institutions does not work. That is not to say that these institutions are not capable of having honest workers and of creating a secure environment. The problems, which exist within healthcare institutions, reflect the same issues that they have in keeping data secure. Hospitals are famous for losing test results and other important health care information. How is it that these same institutions are left to handle their own security for high-risk data? It is not a logical step and at this point government involvement, even with ARRA and HIPAA is cumbersome and not conclusive.
The technology to correct the security issues needs to be in place, and the realization that even with the perfect technological answers there will still be human beings attempting to breach the security of this information for their own gain.
Q. 1.) Google has taken the use of personal information to its natural conclusion in the realm of internet marketing. Learning what people want, where they want it, and when they want is what has made Google as successful as it is. The idea, in my view, is to create a convenience of choice for the consumer. How simple is it to go to Google to search for an item, only to have its availability and location flashed across the screen? Most people appreciate this aspect of Google, without understanding that to have these conveniences and results we give some of our information to the Web.
There is nothing inherently wrong or evil with the Google business model; in fact, it is quite brilliant. Google is giving consumers what they need and want really, fast. There is very little argument that Google has found a way to provide exactly the information we need at lightning speeds, while maintaining information about us that can be used to assist future searches and preferences. When Google “gets to know you,” searching becomes faster and more accurate, because Google is aware of where you have been and where you currently are located. For some people this sounds scary, for others, it is just another piece of the Web that makes it more convenient to use.
Q. 2.) For many people it seems that the idea of the Web knowing where they are located is disconcerting. Google Earth and street view in particular causes a great deal of exciting with folks who feel that their privacy is at stake. It is however, a false sense of security that one might have by not being on street view. With a GPS and a cell phone, it is not difficult to find anyone, anywhere.
Perhaps as a society, we need to decide whether we want the convenience of Google and its applications or if we want to be anonymous. Anonymity is nearly impossible in this age. What is interesting is that people tend to react to things that they do have control over. The issue with cookies is one example of computer users not being familiar enough with their systems and not knowing that they can clear cookies and other tags that Google applications attach to a system. Many of the same people who might use a social networking site like Facebook will have concerns about Google not realizing that they have given up a great deal of their privacy by just being on Facebook or similar sights.
Q. 3.) It seems impossible to really tell whether Google has taken all of the security measures, it possibly can to protect consumers. However, a business like Google does not want to be known for its security breaches. Any problem with security that affects consumer information is a major problem for a search engine. If you think about our nomenclature, for instance, we do not say, “go on the internet, find a search engine, and use key words for your search.” We do say, Google it; which means all of the previous words. Google does not want to have security breaches, however, it does not always have a choice as to how people use the information gathered on its site. Security on a site like Google is all about the engineering; using the least amount of resources for the most results. It is unlikely that Google wants to spend a lot of money protecting its customers, but if it does not, it will lose business. Google does not like to lose business, so I can only assume that it will do everything possible to keep its customers information safe.