Besides being more valuable, it is relatively easy to get. Gary Davis, in a recent post on the McAfee blog, called it, "low-hanging fruit for hackers."
Most experts agree, even though in recent years there has been a greater awareness of the need for security of medical data. Both the federal Health Insurance Portability and Accountability Act (HIPAA) and HITECH mandate security policies, controls and other protections.
Martin Fisher, an information security manager for an Atlanta-based hospital system, said that those laws, along with, "enhanced enforcement by the OCR (Office for Civil Rights), has made a difference. I think the constant bar-raising and the willingness to impose large fines is moving the industry in the right direction," he said.
Still, he believes, "the state of security of PHI is where credit card data was five years ago."
And there are multiple reasons why making it more secure will not be a simple thing:
- Like most information, it is increasingly digitized. In the past, a thief might make off with a hundred folders by breaking into an office. Now, millions of records are accessible on healthcare networks.
- There is more of it. Millions more people are covered by health insurance. Panner also points to, "new and innovative sources of health information, whether that is fitness tracker data or rich genomic data."
- It needs to be available immediately in an emergency. "Do you want your grandmother's allergen information requiring complex passwords in the emergency room while she's going into shock?" Fisher asked.
- It is intended to be shared. The so-called "Meaningful Use" rule that is part of the Medicaid EHR (Electronic Health Record) incentive program requires that PHI be shared with other providers.
"We don't have good trust methods set up for that yet," Fisher said.
Panner agrees. "Health information has a strange paradox," he said. "You want it to be private from most people, yet when you require care, you want a lot of people to see it, really fast. You just want it to be the right people at the right time. That is a very tough workflow, and nothing similar exists in the retail or financial world."
- Patient access they are given their information to take with them on USB thumb drives or DVDs, to be downloaded elsewhere.
- More of it is online. There are portals that allow patients to access their medical records from home. The goal is to give patients more involvement in their own care and thereby improve clinical outcomes.
But Frenz noted that, "done insecurely, a patient portal is an easily exploitable public facing doorway into a healthcare institution's EHR system."
Frenz stressed that his opinions are not necessarily those of his employer, and that they reflect his view of the healthcare industry as a whole, not any specific organization.
Sign up for Computerworld eNewsletters.