By: Robert "Bob" Cooke
Major portions of our national
infrastructure, such as our power grid or aviation, are “secured” through
National Standards. Should our electronic health record (EHR) be next?
Spearphishing, social engineering,
dictionary attacks, trojans, and a myriad of other techniques are used every
second to attack computers. Hacking and the associated terms have entered our
vernacular. Hackers obviously want to extract information of value from
wherever they can.
According to a recent article, over
$2.5 billion has been made in federal incentive payments to hospitals and
physicians who have attested to, or even met stage 1 meaningful use criteria
through the adoption of certified EHR technology. Part of the Stage 1 criteria
includes having some kind of security surrounding this data. Here’s what Measure 15 says exactly:
Objective: Protect electronic
health information created or maintained by the certified EHR technology
through the implementation of appropriate technical capabilities.
Measure: Conduct or review a
security risk analysis in accordance with the requirements under 45 CFR
164.308(a)(1) and implement security updates as necessary and
correct identified security deficiencies as part of its risk management
process.
Big hospitals and IT departments are
already well aware of their security obligations, and obviously have
protections, policies and safeguards in place; they have even read 45 CFR 164.308(a)(1).
Sure there are simple safeguards that
can be implemented to protect data, perimeter defenses and the like. But the
hackers are smart and have their own meaningful use incentives in place.
So far, only $570 million of the above $2.5 billion has been paid to physician offices and
practices, but I’m guessing this piece is going to grow pretty quickly. Another significant statistic is $100
billion — that’s the estimated amount of annual fraud that occurs in
healthcare. We’ve all been to the
doctor’s office…and, it’s a fair statement to say that the level of familiarity
with these standards and/or ability to meet them is, well, lower.
The potential value of a connected
health record is uncontested to the public, obviously the government, and most
certainly the hackers. In terms of the potential to deliver care, the challenge
is how to protect health records from the hackers. There is a lot at stake,
obviously, and the numerator and denominator of fraud to incentive is out of
whack.