With technology comes great risk and greater responsibility, particularly for the healthcare industry, which is gathering and digitizing more data from individuals than ever before.
The February 2015 breach of Anthem Inc.’s database is particularly alarming. Anthem is the second largest health insurer in the U.S., according to a report by Reuters, and company officials are still trying to determine how many people were impacted by the cyberattack.
Anthem has reported as many as 78.8 million customers may have had their personal information compromised, including an estimated 8.8 million to 18.8 million people who weren’t Anthem customers but had their data shared with Anthem by their insurer, Blue Cross Blue Shield.
Hackers accessed names, birthdays, social security numbers, medical identification numbers, street addresses, email addresses, employment information and more, according to a report on PR Newswire.
As more people become insured and seek medical treatment, and more electronic health records are compiled by healthcare and insurance providers, the industry itself must address how that data is safely and securely stored.
The American Health Information Management Association, or AHiMA, has addressed this timely issue on its website with a detailed report on best practices for ensuring the security of confidential, sensitive medical data.
According to the association, the most sensitive data collected includes medical test results, specific medical conditions and the records of high-profile patients and minor patients.
By law, some medical diagnoses or medical conditions are afforded special protection. Mental health records, for example, have a higher degree of confidentiality. Patients suffering from a sexually-transmitted disease, or HIV/AIDS is another. Safeguards should be in place to prevent disclosure of such records without patient consent.
The healthcare industry currently lacks a standard method for identifying patients and linking individuals to their respective medical records. Certain records, such as high-profile or celebrity patients, domestic violence victims and children, should be stored in a manner to restrict access and provide anonymity where required. Proper safeguards also can help prevent identity theft, fraud and abuse, according to the AHiMA.
Similarly, certain procedures, such as abortions, genetic testing and cosmetic surgeries, require a stricter standard.
In addition, in its report, AHiMA outlined several key areas that healthcare industries must take into account.
When choosing a product or provider for maintaining electronic health records, agencies should consider specific features for storing high-risk data that provide adequate screening controls such as the ability to redact sensitive information, designate a unique user identification code to allow for thorough auditing to identify everyone who accessed specific records, and other features, such as time-date stamps, for new documents created.
Health information managers must make sure that any electronic records system includes adequate functionality to meet internal operational and regulatory record-keeping requirements.
Finally, with regards to security, such issues as network access by outside users, encrypted data transmissions, IT support and system override authorization should be considered.
Industry professionals and concerned consumers can learn more about electronic health records, security risks, regulation and other important issues through HealthIT.gov, a national resource website for health information technology.
The website is divided into sections for providers and professionals, patients and families, and policy researchers and implementers. There are tabs on the benefits of electronic health records, privacy and security, certification, case studies and more.
The website is an invaluable tool for practitioners and consumers alike to understand the myriad issues involved in gathering, storing, accessing and protecting medical information.
