People make mistakes, whether they are charting on paper or using an EHR. People disclose personal information such as passcodes all the time. We’ve been getting (sometimes successfully) scammed for our bank account, social security and ATM PIN numbers forever.
Why are there 225 reported incidents of PHI breaches affecting 500 or more individuals? Some would jump to the conclusion that due to increasingly digital nature of PHI, information is more at risk. The real truth is that, quite simply, people make mistakes, not computers.
One of the most common mistakes is a healthcare professional using unencrypted email to send a doctors medical record or to store PHI.
On November 12, 2010, St. Vincent Indianapolis Hospital in Indiana experienced an email breach that compromised PHI for 1,800 patients.
In the last few days, the facility posted a brief explanation of what they called an “Unauthorized Email Access Incident”. The statement goes on to explain that affected patients received a letter alerting them of the possible disclosure of “individual names, dates of service and certain clinical and diagnostic information.”
The Indianapolis Star ran a story claiming a hacker, who worked within the hospital, persuaded some employees to share their e-mail login information. The hacker did not gain access to the EHR system but rather, to emails that clinicians exchanged containing PHI.
Interestingly, the HHS website, where breaches affecting 500 or more individuals are reported, listed this incident as a ‘theft.’ The location of the breached information is listed as a laptop. Of the 225 incidents, 75% are described as theft or loss of paper records, desktop computers, laptops, network servers, CDs and even backup tapes.
7% of breaches were attributed to what the HHS calls ‘Hacking/IT Incidents’ such as the University of California, San Francisco breach in 2008. A ‘phishing’ scam was used to gain access to a physician’s (you guessed it) email account where they had “personal information about patients, including demographic and clinical data and the Social Security numbers of four patients,” according to the San Francisco Chronicle.
HHS identifies email as the breach point for the Geisinger Wyoming, Johns Hopkins Applied Physics Laboratory, Sinai Hospital of Baltimore, Georgetown University Hospital, Reliant Rehabilitation Hospital North Houston, Children’s Medical Center of Dayton and Comprehensive Care Management Corporation breaches.
The bottom line is that email is not a secure-enough way of transferring PHI. That is why HIPAA certifies secure messaging modules such as Practice Fusion’s. Besides advanced security protocols, a secure messaging function inside an EHR provides other advantages like, direct links to patient charts and chart notes which make pertinent information more available and decrease human error.
More importantly, healthcare professionals are less likely to accidentally disclose their login information for an EHR than an email account. Just as they are less likely to disclose their Social Security number than their phone number.
Security vs. Human Error
However, people do make mistakes. This can include disclosing their EHR credentials. But that’s nothing new: paper charts have always been at risk and continue to be.
Storing PHI electronically allows providers an extra dimension of security. You can’t put a padlock on a paper chart but you can password protect a laptop, a network server or a web-based EHR.
The real problem occurs when a person discloses their password or loses a laptop or hard drive: human error as opposed to a breach in security protocols.
The answer to this problem? Better education. People know not to disclose their PIN number. They need to know not to email PHI or give out their login information.
Community Relations Manager
Practice Fusion, EHR