WASHINGTON – About 30 miles outside of Philadelphia, Siemens USA, the electronics powerhouse that creates health technology and services, has its health care headquarters, a fortified building that houses millions of medical files.
Employees must pass a vibration-sensitive fence, three ID badge checkpoints, a bomb detector and a biometric hand scanner just to get through the front door.
“If you don’t belong there you stand out like a sore thumb,” said Dan Emig, vice president of hosting services at Siemens. “We are very focused on protecting patient information as a core part of our business.”
As part of his 2009 stimulus package, President Barack Obama offered $27 billion to encourage all physicians to computerize health records by 2015. Siemens is one of a dozen major vendors, including General Electric and NextGen, in the health information technology industry. Health IT mainly refers to the computerization of paper patient files, but it also includes how professionals manage the exchange of information between doctors, patients, insurers and the government using software.
As medical professionals scramble to create electronic patient records, privacy advocates have voiced concern over the security of the health IT programs.
“Some of our most valuable information is our health information,” said Lillie Coney, associate director at the Electronic Privacy Information Center, a civil liberties research group. “If [health records] are going out over the Internet, we have to be able to ensure it’s secure.”
Recent incidents suggest the need for more safeguards. Security auditing company RedSpin released a report in 2010 revealing that 225 health data breaches affected more than 6 million patients.
“These were not accidents. People are actively seeking to steal health information,” said Harley Geiger, a policy counselor at the Center for Democracy and Technology.
And last November, five people were charged with hacking into a database and stealing the identities of emergency room patients at Holy Cross Hospital in Aventura, Fla.
Hackers can lift patients’ information to illegally obtain prescriptions or services, Coney said, calling to “health identity fraud.”
She also noted that health files often contain sensitive health information that can affect how people are treated.
“Will they give you a loan if you’re dying?” Coney said. “It’s not that long ago when people’s reactions to the AIDS epidemic were violent.”
Starting this year, the Department of Health and Human Services is requiring medical institutions to tell patients when their health information has been sold or stolen—but HHS only defines these incidents as “data breaches” if it affects more than 600 people. But privacy advocates like Geiger and Coney say the government should regulate health software even more closely to ensure the safety and privacy of patient information.
SAFE AND SOUND
Siemens manages the digital health records of more than 1,000 hospitals and half a million health care professionals. Emig said that Siemens, like other major health vendors, practices three types of security: physical, in transit, and logical.
Physical protection refers to the barricades that stop unauthorized users from touching or even seeing the computerized health records; in transit involves the safe transfer of medical records, which often need to move between hospitals and doctors’ offices.
According to the RedSpin report, most hackers stole information from mobile devices such as USB drives, laptops and cell phones. That’s why the best security lies in encryption and passwords, Geiger said. Using algorithms, programs can translate health information into indecipherable symbols.
The importance of in transit security was highlighted in 2006 when a laptop belonging to a Veterans Administration employee was stolen from his home. The computer contained a database detailing all VA workers’ personal information. For this reason, Siemens forbids employees from transferring health records to personal computers, Emig said.
Logical security targets the servers holding the information. This includes everything from installing firewalls to reviewing the company’s security policies.
“The security people get audited by security people,” Emig said.
Jim Garity, Siemens’ director of risk management, reviews the company’s security practices daily. His department has only investigated a few cases that stemmed from employee misunderstandings, Garity said.
But in 2009, federal agents raided Siemens’ medical headquarters in connection with a military contract. According to an April 27 article in HealthCareITNews.com, Siemens, which had a Department of Defense contract to sell medical IT imaging to the military, came under fire for alleged fraud and bribery; the company settled by paying $1.3 million to Germany and the U.S.
Lee Thien, a policy expert at the Electronic Frontier Foundation, said outside agencies should audit companies’ practices to maintain transparency.
“We don’t have an architecture that looks at the system overall,” Thien said. “We don’t have a view of the data flows to give you an idea of how leaky it is and who gets what information.”
PRIVACY and HIPAA
The Health Insurance Portability Accountability Act of 1996 regulates how health facilities transfer electronic health records. These rules apply to “covered entities” set by HHS, which include health plans, billing systems, or providers that transfer electronic medical records.
The legislation states that systems should always protect and secure patient information; health care providers must at least notify patients when they give their information to third parties, such as data mining businesses.
But companies like WebMD and Weight Watchers with its website—which are not HIPAA “covered entities”—do not need to follow privacy protection laws, Coney said.
To register and get medical advice from WebMD’s experts, users must enter details about their health condition, their family’s medical history and any prescriptions taken. WebMD says it does abide by consumer privacy laws, but reserves the right to sell any health information to third parties.
“Those entities are not identified as health care providers so health information privacy regulations don’t apply,” Coney said.
Geiger said that legislators wrote HIPAA before people had begun widely using the Web instead of their doctors for medical information.
“Because of the Internet’s flow of patient information, the realm of health privacy and consumer privacy are starting to merge very quickly,” he said. “Privacy protections should be in place no matter the economic sector.”
Even if users don’t need to register to use a medical website, web-tracking cookies can trail where they’ve visited, Coney said.
“I leave information maybe I didn’t intend to,” Coney said. “When you click on ‘breast cancer,’ they sell this data, they share this data.”
Tempered by consumer laws like the 1970 Fair Credit Reporting Act, health companies often “scrub” identities before selling prescription and health information; names can easily become serial numbers.
But Thien argues that data miners like ChoicePoint and Acxiom can paint portraits from a few details; those same serial numbers can track a patient’s future prescriptions and services.
“We are not worried because we think the threat is from hackers. It’s from all the folks who potentially have access to that data,” Thien said. “They’re salivating for this data. Everyone is a threat.”
To avoid privacy breaches, the Obama administration has started regulating the transfer of electronic medical records. Last week, HHS fined Cignet Health in Maryland $4.3 million for refusing patients access to their medical records. This penalty signals the first time the Office of Human Rights under HHS has issued a civil monetary penalty, a fine for violating a law.
Geiger said he hopes more monetary fines will follow because they act as a “strong motivator to stay in compliance with the law” for most health institutions.
