March 28, 2011

Make Privacy and Security a Year-Round Focus
By Deborah C. Peel, MD
For The Record
Vol. 23 No. 6 P. 8

Wikileaks is just the latest high-profile story to increase everyone’s fears about data privacy and security, something the public is more aware of now than ever before. If top-secret data can’t be secured, what hope is there for health data?

If we don’t build trusted systems, people will potentially begin avoiding treatment, putting their health and lives at risk. That’s something healthcare professionals should keep in mind year-round, not just during Health Information Privacy & Security Week (April 12 to 18).

Large health databases used by providers, state agencies, disease registries, and federal agencies are a fact of modern life, but we must keep learning about the unintended consequences and benefits that can result from these systems.

Ross Anderson, a professor of security engineering at the University of Cambridge, describes a need for eternal vigilance. “Creating large databases of sensitive personal information is intrinsically hazardous,” he says. “It increases the motive for abuse and the opportunity for abuse at the same time. And even if the controls work perfectly to prevent unlawful abuse (whether by outsiders or insiders), the existence of such databases can lead to lawful abuse. Powerful interests in society lobby for and achieve access to data on a scale and of a kind that sensible people would not permit.”

In its 2009 report “Beyond the HIPAA Privacy Rule — Enhancing Privacy, Improving Health Through Research,” the Institute of Medicine wrote that “breaches of an individual’s privacy and confidentiality may affect a person’s dignity and cause irreparable harm” and “[unauthorized disclosures] can result in stigma, embarrassment, and discrimination.”

In 2010, FairWarning, a provider of security solutions, reported that during a typical breach remediation project at a large multihospital system, it found between 115 and 120 privacy breaches per month after deploying breach monitoring technology. After offending staff members received individualized awareness training with follow-up sanctions, breach rates dropped to around two per month. The 99.2% reduction in breach rates was a result of targeted training and meting out and publicizing penalties.

Meanwhile, polls indicate growing public concern about the lack of data security and increased awareness that health information is at risk.

A 2009 poll by NPR, the Henry J. Kaiser Family Foundation, and the Harvard School of Public Health, “The Public and the Health Care Delivery System,” found that 59% of Americans are not confident that their online medical records and personal health information (PHI) would remain confidential. Seventy-six percent believed an unauthorized person could gain access to their online medical records.

Key findings from 20 consumer focus group meetings, conducted in July 2009 by the Agency for Healthcare Research and Quality, found that the public expects to control PHI in HIT systems and data exchanges. Among the results were the following:

• A majority of people want to “own” their health data, deciding what goes in their medical record and who has access to the information.

• Medical data are “no one else’s business” and should not be shared without permission … [as] a matter of principle.

• There was no support for ... general rules that apply to all healthcare consumers.

• Consumers should be able to exert control over their own health information individually rather than collectively.

The bottom line is that many Americans appear to care deeply about data privacy. They don’t just say they want privacy, they act.

A 2005 survey conducted by the California HealthCare Foundation found that between 13% and 17% of consumers engage in information hiding. One in eight Americans puts their health at risk because of privacy concerns. These individuals take the following actions:

• avoid seeing their regular doctor;

• ask their doctor to alter a diagnosis;

• pay for a test out of pocket; and/or

• avoid tests.

In addition, Health and Human Services has released figures on the estimated number of Americans who have not sought treatment because of privacy concerns, including 586,000 for early cancer treatment, 2 million for mental illness, and millions suffering from sexually transmitted diseases. In addition, The RAND Corporation found that 150,000 soldiers suffering from posttraumatic stress disorder did not seek treatment because of privacy concerns.

What can consumers do? How can healthcare professionals help their organization prioritize security and confidentiality?

The following are helpful ideas that will help build a culture of data protection:

• Learn about internal and external data security breaches.

• Make sure systems are monitored for viruses and malware and appropriate access controls are being used.

• Be on the lookout for insider threats, including the use of unauthorized credentials by in-house staff and service providers such as software engineers and hardware repair staff.

• Watch for and prevent outside threats by avoiding or blocking thumb drives and by banning the use of person-to-person file-sharing software on system computers.

• Urge your organization/provider to invest in meaningful and comprehensive security.

• Lead by example. Talk to friends and colleagues about better ways to protect data.

• Sign up for alerts from Patient Privacy Rights at www.patientprivacyrights.org.

• Place Congress on notice by signing the “Do Not Disclose” petition at http://patientprivacyrights.org/do-not-disclose.

No one will reap the benefits of HIT and data exchange unless each of us works to protect patient privacy and security. The only way we will have trusted systems is if each of us does our part.

If we don’t act now, the stimulus billions will be used to build the largest, most intrusive digital surveillance system in the world, monitoring the most intimate facts about our minds and bodies.

— Deborah C. Peel, MD, is founder of Patient Privacy Rights.