Kroll Fraud Solutions Blog – A Dialogue on Data Security

In the late 1960’s, Dr. Lawrence L. Weed developed the Problem Oriented Medical Record (POMR).  His vision was to have electronic medical records with standardized progress charts for all patients.

Fast forward 30 years, and you would be hard pressed to find a medical group or health care system that used Electronic Health Records (EHRs) to exchange patient data with one another. Most medical records were still in the form of physical documents, stored in a file folder and shared between a few key members in the medical facility.

In June, the Office of the National Coordinator for Health Information Technology (ONC) issued its final rule to establish a temporary certification program for Electronic Health Record (EHR) Technology. This marks an important step towards allowing healthcare facilities to meet and achieve meaningful use, a requirement to qualify for incentive payments under Medicare and Medicaid. Yet, even with this new development, lingering security questions still plague the process, making the transition to an interoperable EHR system seem even further away and harder to achieve.

If your healthcare facility were to have a data breach tomorrow, how would you go about notifying affected individuals? More importantly, how would you do it in a way that satisfies the HITECH requirements?

The answer isn’t easy. Even without HITECH, notification and subsequent response can take an alarming toll on the finances and resources of an organization.

A data breach can occur many ways. Even a data “warehouser,” who has implemented a policy to minimize data collection and retention while making necessary data accessible in a secure environment, may still be subject to a data breach. A data breach may still occur by accident or through malice even when a well written policy and procedure is adhered to seriously by computer users. Data is only as safe as the trustworthiness and reliability of the organization’s users.

Young adults often make poor choices when it comes to social networking; so, many people argue that the younger generation simply doesn’t care about their own privacy. However, a recent survey refutes that argument – entitled How Different are Young Adults from Older Adults When it Comes to Information Privacy Attitudes and Policies?, it reveals little evidence that young adults’ attitudes toward privacy are fundamentally different from those of older adults. What the data did show, however, was that a higher proportion of 18-24 year olds believe (incorrectly) that information privacy laws protect their data both online and offline than do other age groups.