"What Keeps Me Up at Night" - EMR on the Internet
November 17, 2011 | POSTED BY BRETT EDGAR IN COMPLIANCE, PCI, HIPAA
Right now two things keep me from getting a good night's sleep:
The first - the anticipation of whether we'll experience another earthquake in Oklahoma.
The second - the explosion of transmittal of electronic medical records (EMR) across the Internet.
There is some regulation governing how EMR must be protected, both at rest and while being transmitted. HIPAA arrived in 1996 and gave guidelines on how to protect the privacy and security of PHI (protected health information). HITECH appeared in 2009 and addressed those same concerns during the transmission of PHI, in addition to codifying the financial penalties for data breaches involving PHI. HITECH defined a breach as "generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual" (read the whole thing at HHS.gov
But, here's what scares me. The payment card industry (PCI) has developed a set of standards, complete with required testing and auditing procedures, dealing with how to protect cardholder data. This was driven by private industry (the banks) since they have a vested interest in preventing breaches (because they are on the hook for fraudulent charges). The industry has refined those standards over the better part of a decade now. Even with those standards, millions of records are stolen each year.
Now I ask you this: if the PCI industry, through multiple iterations, hasn't been able to completely fix this problem with required testing and auditing standards, what exactly are federal regulations for protecting EMR that are short on specifics and require no testing or auditing going to accomplish? I would posit that the answer is "not enough." All we can be sure of is that the organizations which lose EMR data are going to incur significant financial penalties.
So, what free advice can TRUE offer to healthcare providers? Look to ISO for information security best practices, and refer to PCI standards on protecting cardholder data. Just replace "cardholder data" with "PHI" for starters. Also, keep this Gartner quote top of mind when preparing your 2012 security budget: "The cost of mitigating a data breach is likely to be greater than the cost of preventing the breach beforehand - perhaps by a 70-1 margin."