The problem of securing health data that is everywhere

At some point, in the next five years, some doctor is going to be seen in handcuffs because he failed to comply with security requirements and lost someone's health records.

My dear wife works for a credit card processor.

(Oh, Dilbert. Is there no office disaster you can't make hilarious?)

Over the years she has given me horror stories about new security procedures. Her hard drive is encrypted, old drives are shredded, and she can't even get into her PC without a strong password that is changed regularly.

There are also dozens of other processes inside the company I know nothing about, some she doesn't know about, and if I told you any more I'd have to kill you.

True, it's a hassle. But her company hasn't appeared in headlines like this. Processors know that if they screw up they'll be cut off at the knees. Stuff still happens, but the people it happens to are going down.

Shouldn't your health records get the same care?

Of course they should, and politicians are happy to stand with you on this.

Thus Richard Blumenthal, now Connecticut's most popular pol, and the outgoing Attorney General, has filed papers against an insurer called Health Net, now owned by Oxford Health and United Health, for losing a disk drive with data on 1.5 million people.

Good on him, you say. I do too.

But even with enforcement, and even with laws that are more than a decade old, which everyone supports, securing all health records is devilishly difficult. And it's going to get more so.

There are two reasons for this:

  1. Your health records, unlike your credit records, are in lots of places. Each doctor you see, and everyone who pays your bills, gets copies of something.
  2. These records are going to be automated, because under the HITECH Act once the carrots or "incentives" for automating disappear, the sticks or "penalties" kick in.

As we've seen with credit processors, there are all sorts of ways records can be misplaced. They can disappear with a hard drive, or inside a thumb drive. If you don't have strong passwords, track all downloads, and have regular security audits, you can easily become a data theft victim.

It's partly for this reason that many doctors' offices have refused to automate. It's why there are miles of aisles of file folders behind the desks at clinics. Easier to track all that paper than worry about it all going out the door on the USB stick of a disgruntled clerk.

The need for strict security procedures, for training, and audits is going to slow the move of Electronic Health Records (EHRs) through the industry. On that there is no doubt.

And there is another doubtless truth.

At some point, in the next five years, some doctor is going to be seen in handcuffs because he failed to comply with security requirements and lost someone's health records. It happened in credit cards, but it's one thing to see some suit going down -- what happens when it's old Doc Friendly?

But if you're in data security, at least you'll find regular work.

Feel free to share your own medical data security horror stories below.