Following the passage of the Health Information Technology for Economic and Clinical Health Act (HITECH) in 2009, the healthcare industry and all anesthesia services have been jolted farther into the digital age. A law that highly incentivizes the usage of electronic health record systems, HITECH, requires that healthcare providers, including anesthesiologists, leave behind paper records and adopt a digital system that is intended to streamline a physician’s access to medical records, ease the process of prescribing medication, and reduce the amount of unnecessary paperwork. Despite the many possible benefits that could arise from a digital system, electronic records have created an extremely pressing problem for the healthcare industry.
Privacy and the confidentiality of sensitive personal information are the backbone of the doctor patient relationship; however, the adoption of an electronic record system leaves private information that is being transmitted, stored, or recorded vulnerable to the attack of hackers who can penetrate these online systems. The only way to prevent these malicious attacks, which can result in identity theft and the loss of billions, is by encrypting this private medical information. Encryption makes use of a complex algorithm that transforms the information into unreadable ciphertext that can only be deciphered when the authorized party enters the correct key. When this key is stored properly, on a separate device that is not being used to read or store encrypted information, it becomes almost impossible for a hacker to steal the information and cause a severe data breach.
Despite encryption’s critical role in securing private and confidential information, the amount of healthcare providers who use encryption software is surprisingly low—only 44% of organizations in the United States reported that they made “extensive use” of encryption technology and only 29% encrypted tablets or smartphones. Encryption is particularly critical to anesthesia services where information can include not only names and social security numbers, but also insurance information and medical histories that can be manipulated by the uninsured or those with pre-existing conditions in order to gain coverage. The market for such information is quickly growing, with a 600% increase in cyberattacks on healthcare centers in 2014 alone. If such a cyberattack occurred at a center for anesthesia services it could put thousands of patients in jeopardy and result in millions in fines.
The lackluster usage of this important technology can be traced back to the fact that there are no definitive legal requirements that healthcare information must be encrypted. HIPAA Security Rule considers encryption an “addressable” issue, meaning that it cannot be ignored by an organization, but the organization has significant flexibility in determining what level of secure encryption they will use, or if encryption is even appropriate for their devices. The abstract wording of this law has allowed many leaders in healthcare and anesthesia management to forego essential, high-end encryption software, either using minimal or no encryption techniques. Believing that their data is being properly protected and that there is minimal risk of a security breach, management groups avoid extensive encryption software that is deemed expensive, confusing, and cumbersome. Indeed, many physicians have adamantly fought against using encryption because they feel as if the complicated keys could waste time when every second counts and that encrypting the information in diagnostic and monitoring equipment could compromise function. Thus a very significant conflict arises between the need to efficiently deliver patient care and thoroughly protect private healthcare information.
Despite reservations from physicians, encryption is the best means of protecting information and preventing potentially devastating data breaches. In February 2015, Anthem Blue Cross had a breach of security that put the healthcare information of 80 million people in jeopardy because Anthem had not encrypted this confidential stored data. This is not an isolated incident: in 2013 alone 60% of healthcare institutions reported data breaches due to lack of security, resulting in over $1.5 billion in fines. Technology is working to prevent these types of breaches by making encryption software easier to use and the keys less complex—one startup is even testing using fingerprints to safely access medical records. In the mean time, anesthesia management groups and all healthcare providers need to recognize the extreme importance of encryption in protecting patients and hospitals from destructive consequences.
Sources:
- https://www.healthit.gov/policy-researchers-implementers/health-it-legislation
- https://www.healthit.gov/sites/default/files/pdf/privacy/privacy-and-security-guide.pdf
- http://healthitsecurity.com/news/too-few-organizations-implement-data-encryption-survey-says
- https://www.technologyreview.com/s/530411/hackers-are-homing-in-on-hospitals/
- https://hipaacentral.com/Documents/Perspectives/HIPAA-Encryption-Requirements-Perspective.aspx
- https://www.virtru.com/blog/why-isnt-everyone-using-encryption-in-health-care/
- http://www.healthcareitnews.com/news/why-does-healthcare-resist-encryption
- http://www.pbs.org/newshour/rundown/lack-health-care-cyber-security-standards-raises-questions/
- http://www.mobilecomputingtoday.co.uk/1551/ensuring-healthcare-compliance-protecting-securing-patient-data/
- https://www.technologyreview.com/s/545566/using-patient-fingerprints-to-break-down-medical-record-silos/
