Consumers are demanding more and easier access to their health records. Providers who allow that access open themselves up to a range of issues, from patients self-diagnosing and self-treating, to hackers stealing a patient's health history and personal data.
Electronic Health Record (EHR) vendors have provided patient portals as part of their offering for the past decade. However, today healthcare IT is being disrupted by a new technology moving forward into the marketplace. As Kit Sun, founder and CEO of NavisHealth Solutions, a healthcare information technology company, explains, the outlook for patient portals is beginning to change.
“Consumers are driving the need for native mobile portal applications on their smart phones to be utilized on demand no matter where they are located,” Sun explains.
But in the process of delivering those on-demand applications, he cautions that, “This technology needs to be delivered with secured messaging between the patients and their clinical caregivers which empowers patients and their families to take charge of their own health.”
And therein lies the challenge.
“Patients are not trained to read the data, so it’s highly unlikely they can accurately interpret what the data means,” explains Tony Perez, a cyber security expert and the founder and CEO of NetLok, Inc.
Perez understands patients’ desire to have open access to their medical records, including their doctor’s notes. He recognizes that medical portals are a convenient way for patients to access their records and become active participants in their own health.
But he’s also well aware of the downside.
“I’m aware that people can take their information from the chart of their medical record and go to the Internet to understand what the data says or means,” Perez says. “But the problem with that is what’s written on the Internet is written in such a general way that it may not be specific enough to really lead people in the right direction.”
Perez is also concerned that when consumers go online to do medical research they are often influenced to purchase a product that promises to cure their condition. However, there may not be any conclusive evidence that the product would solve the issue without creating any other problems or side effects.
“Consumers don’t know the consequences of one action versus another,” he says.
Regardless, or perhaps ignorant of the safety issues at hand, consumers in today’s instant gratification age want information on demand. For physicians willing to provide that access, Perez says it’s critical that they understand the requirements to meet HIPAA compliance.
“Unfortunately, if there’s a lawsuit against them, ignorance of the law will not help them,” he says. “And the fines in this area are considerable.”
More than just fines, lawsuits can wipe out your practice. Perez says a dentist whose server was hacked was sued by his patients for $400,000. The patients won, and the dentist’s reputation and practice were ruined.
Too often, Perez says, physicians don’t understand online security. It starts with the failure to properly investigate the background of the programmer installing the medical records system.
“They purchase the support based on price, not on competence,” Perez says. “And when you buy things on price and not the real need of competence you’re just opening yourself to all kinds of problems. So what they have done is set themselves up for what we call ransom ware, and other opportunities for cyber criminals.”
Perez says the main reason why medical records are becoming the fastest growing area of hacking is because it results in a personal attack where cyber criminals can extort money from individuals, especially physicians.
“If a hacker gets your credit card and charges things, the banks are all over it,” Perez says. “They will pay the damage, and you don’t feel it as a person. But if somebody has your medical record and knows you’re vulnerable, that changes everything, because they can do a personal attack and go after you as a person.”
Problems with Passwords
The first step in the protection process is being HIPAA compliant. The second, Perez suggests, has to do with passwords, an element that new products from NetLok will eliminate.
“We’re going to be replacing passwords with photos and pictures,” he says. “The beauty of using pictures and photos is that you have so many 1s and 0s it would take a significant effort by a hacker to try and break into the system. And since there is so much more low-lying fruit they’re just not going to waste their time.”
But the real issue in security, Perez says, is the human element. If a professional hacker is targeting a high profile medical professional but recognizes that the system he’s trying to break into is too complex, he’ll hire someone to track that individual and wait for them to make a mistake, like lose their smart phone or lose their password list.
“So it’s not necessarily that the technology can’t be built to prevent people from getting in, it’s that people are always the weakest link in this chain of security.”