From The Editor | March 16, 2011

Patients Question EHR Security

kcongdon_hs-web

By Ken Congdon, editor in chief, Health IT Outcomes

While the trepidation surrounding EHRs has been well documented in the physician community, a new batch of research from CDW Healthcare finally solicits patient viewpoints on EHR adoption. Not surprisingly, this research shows that patients also have some unresolved questions on EHRs — particularly as it relates to the security of their personal, financial, and medical information in an EHR system. According to the study titled Elevated Heart Rates: EHR and IT Security, 49% of 1,000 survey respondents stated that they believe EHRs will have a negative impact on the privacy of their PHI and health data.

EHRs & The Fear Of Change
So why am I not surprised by these findings? After all, for the past several years, the U.S. Department of Health and Human Services has been promoting the anticipated patient benefits of EHRs including the reduction of adverse drug events (ADEs) through e-prescribing, improved communication between patients and providers, and reduction in office visits and waiting times. Didn't this information resonate with patients? Maybe it did for some, but not enough to overcome a universal fear of change. That's really what we're dealing with here.

Think about it. Electronic banking and remittance is commonplace nowadays, but think back to when it first started to emerge as an option. Most individuals were skeptical of how secure it was and were fearful of their money or identity being stolen. Personally, I was hesitant to share my credit card or bank account information online until three years ago — and I write about technology for a living. EHRs are following a similar path as electronic banking, so why would we expect the public reaction to the technology to be any different? Over time, patients will become more comfortable with EHRs and experience the benefits first-hand. There will be a tipping point where patients no longer fear EHRs, and we'll all wonder how we got along without them. However, providers, payers, and patients alike will all experience some pain during the transition.

Providers Need To Adjust To Make EHRs Secure
Healthcare providers will play the most significant role in changing the negative patient perception of EHRs. After all, CDW's research showed that 89% of survey respondents currently have "complete" or "some degree" of trust in their hospital or doctor's office to protect their personal health information.

To ensure they maintain or enhance this level of trust with patients, providers will have to make the technology adjustments necessary to ensure patient data is kept private and secure when transitioning to an EHR. EHRs are not inherently less secure than paper patient records. To the contrary, EHRs offer several security advantages (i.e. authorized access, automated audit trails, alerts and alarms, etc.) over their paper counterparts. However, EHRs do have significantly different security requirements than paper records, and providers need to make the technology investments to protect vast new stores of electronic information against theft, loss, and misuse. In its report, CDW Healthcare recommends healthcare facilities take the following steps to ensure their EHR systems are secure:

  • Execute An IT Security Assessment: Many healthcare organizations do not know the current state of their IT infrastructure. Fewer know what constitutes an adequate profile. Healthcare facilities need to work with a trusted partner to secure a baseline understanding of what their security profile looks like today.
  • Start With The Basics: In its study, CDW references 2010 research that showed 30% of surveyed physician practices do not have basic antivirus software protection, and 34% of physician practices do not use network firewalls. At an absolute minimum, healthcare organizations need to immediately implement steps to meet reasonable security standards.
  • Protect Your Investment: As healthcare organizations transition to EHRs, they have the perfect opportunity to implement IT security practices tailored to their solution. This not only protects a sizable technology investment, but also ensires that as patient data goes digital, security protections are already in place.
  • Start Now. Reassess Often: IT security is not a one-time fix. Though the EHR transition is an ideal time to initiate tighter IT security controls, all healthcare organizations need to reassess their IT security profiles regularly.

Ken Congdon is Editor In Chief of Health IT Outcomes. He can be reached at ken.congdon@jamesonpublishing.com.