Patient advocates and technology experts are lashing out at a $20 billion provision in President Barack Obama’s stimulus plan that calls for mass digitization of medical records with little regard for the security or integrity of the sensitive personal data.
The push to put these records in huge computer databases and online repositories not only threatens patients' privacy, but could also result in large-scale selling of medical data for commercial purposes, experts add.
"The more software moves to Web-enabled platforms, the greater the availability becomes to distant attackers,” said Trey Ford, director of solutions architecture at White Hat Security. “Organizations will sprint to demonstrate compliance with HIPAA or whatever other security controls are required at audit time, and will fail to maintain the vigilance required to truly manage risk.”
While details of the medical-records provision in the $789 billion stimulus package are still being ironed out, the president seems intent on funneling up to $18 billion, in the form of increased Medicare and Medicaid reimbursements, to doctors who digitize their patient records. The remaining $2 billion will come in the form of grants to help doctors and other healthcare providers pay for the new hardware and software they'll need to make patient records electronic.
What worries experts the most is how few of those dollars will be used to help develop effective safeguards for patient data and that, if the House leaders get their way, it will be up to the secretary of Health and Human Services to decide whether consumers should be notified when their records are illegally accessed.
“We raised concerns about the unintended consequences of some of these provisions,” Robert Zirkelbach, a spokesman for America’s Health Insurance Plans, told Bloomberg. The Washington-based group represents 1,300 managed-care companies, including WellPoint Inc. and UnitedHealth Group Inc.
In addition, there are worries that fully electronic medical records could be a target that's too good to resist for identity thieves and hackers.
"Externally, pharmacies, other care providing organizations, as well as consumers will access a limited subset of this information remotely over Web sites, Web applications, and Web services," Ford said. "Citizens will need to know that organizations are carefully measuring the vulnerability exposure of their Web-enabled software. If they cannot, in a continual manner, measure the insecurities of their software, they cannot truly know their current exposure or risk over time."
Still, some in the industry believe things are heading in the right direction in terms of privacy safeguards. An industry group called the Certification Commission for Healthcare Information Technology is overseeing efforts to impose stringent certification standards on products used in health care organizations, including encryption and other security safeguards.
"The requirements are getting more stringent every year and there are security provisions at every level," said Paul Ruflin, president and COO of Noteworthy Medical Systems, a Cleveland-based provider of health care solutions. "The long-term view is to have electronic health records so doctors can share data on patients in a more fluid way. Once you have that, it doesn't mean you're sending data all over the place. Things are moving in the right direction to allow this to be done in the proper way."
© 2013 Newsmax. All rights reserved.