M. Eric Johnson is a professor at the Tuck School of Business at Dartmouth College and director Tuck's Center for Digital Strategies. His book, The Economics of Financial and Medical Identity Theft, was published in March 2012.
Like the challenge of controlling U.S. healthcare costs, safeguarding patient information has proved elusive. Three years ago as part of the Obama administration's drive to digitize healthcare, the Department of Health and Human Services mandated public disclosure of breaches affecting 500 or more individuals. Those disclosures quietly clicked past 20 million patients this month. In each case, patients are notified, the breach is posted on Health and Human Services' wall of shame, and in some cases organizations are fined. But the real costs are born by patients in lost privacy and the lasting fear of fraud. Regardless of the breach size, patients experience harm. For example, last week Shatina Golden, a Northwestern Memorial employee, was charged with stealing patient identities which she used to pay her water and gas bill. A search of her home turned up personal information of more than 50 patients, credit card numbers, and social security numbers. Ms. Golden is just one tiny example of the information security problem faced in healthcare. Medical identities fuel crimes large and small. Earlier this month, federal officials charged over 100 healthcare professionals with the nearly half a billion dollars of Medicare fraud.
Stemming the breaches was a focus of a workshop held last week at Tuck. Funded by the National Science Foundation, the conference brought together a security chiefs, physicians, researchers, and policymakers. David Blumenthal, the former National Coordinator for Health Information Technology, noted that security remains and important challenge in bringing U.S. hospitals into the digital age. Security chiefs and physicians placed much of the failure on healthcare software. The federally funded financial incentives offered to healthcare providers to adopt electronic patient records has created a boom market for software providers. But Paul Connelly of Hospital Corporation of America pointed out that even some of the latest bedside products are not engineered for security. More fundamentally, Eric Cowperthwaite of Providence Healthcare noted that the basic functionality of many electronic health record systems is lacking. Poor usability leads to work-arounds. Our research has found that data hemorrhages are often fueled by such work-arounds for poor software or when security "solutions" get in the way. From bed boards to financial systems, frustrated users circumvent security or move sensitive data into convenient formats like Microsoft Excel and Word, making the data portable and vulnerable.
The workshop participants concluded that stanching patient data hemorrhages will require new thinking. While many helpful security technologies like laptop encryption, data loss prevention, and network defenses are readily available, there are still more fundamental challenges like access control, usable applications, and education that will require fresh thinking.