info@qualityplusconsulting.com l +1 262-553-6510

Opportunities in video conferencing: improving the security in medical offices

6/14/2010 - Author: Felicia

Technology security is a difficult topic for most medical practitioners to understand. I have crossed paths with some doctors over the years that actually considered themselves capable of supporting their own IT systems. There is a huge difference between designing and implementing security and HIPPA-compliant systems and simply keeping them up and running.

The keeping them up and running part is support. Many doctors fall prey to the idea that support and the people that do support are also qualified to do design and engineering.

A good example is the difference between a technician that can mount a false tooth on an installed dental implant. The technician may be able to care for and replace that tooth, but they do not have the skill or the engineering capabilities to decide what implant should have been installed in the first place, besides the skill to actually install it properly. Yet I have seen many doctors over the years who think their office manager or assistants are capable of managing their IT systems. If a person's knowledge is limited to knowing how to change the backups, how are they supposed to know when there is a gap in security practice?

I see a huge opportunity to use video conferencing to train many medical practitioners in geographically disparate locations simultaneously. This can be used not only for security and technology training, but it could be used for just about anything else you might be able to do in a face-to-face setting. With tools like GoToMeeting, the presenter can pass the presentation role to another participate who could bring up materials on their computer to show the other attendees. There is also a feature in many of these video conferencing tools that allows for a shared whiteboard between the participates.

One of the challenges in this approach is getting medical offices to take security and patient privacy seriously. If they don't see the need, then why would they ever take the time to go to a training session, even if it comes to their computer screen over the lunch break? Also, many doctors still seem technology-challenged. I have seen many of them abdicate the responsibility of understanding their technology systems entirely. Unfortunately, the majority of the times they not working with an IT security expert, they are simply relying upon their office manager or office assistant who has no training in security whatsoever.

To compound the problem, many of the doctors' lawyers are still living in the stone age as well. So the lawyers end up giving their clients bad advice regarding what they must do to be HIPPA-compliant. What many of them don't realize is that the stimulus bill of 2009 dramatically changed HIPPA regulations. Medical offices that think they are compliant are not even close to being compliant. And fines have dramatically increased.

John Barlament wrote a very interesting article highlighting many of the challenges. He actually brought up the point about encrypting emails and attachments. I've been talking about this issue for years now and doctors don't want to listen. I did a podcast on this topic on March 28, 2009. One of the topics I covered is this whole issue of tracking disclosures. Barlament touches on this as well. Essentially, almost no medical offices are tracking disclosures and who has access to what information. It is disturbing to think about all the places the electronic health data is stored and disclosed. Both my podcast and Barlament's article covers the significant increase in monetary penalties. If medical practitioners don't start to wake up and smell the liability, they need to go out of business. January 1, 2011 is getting closer every day, but how many of these medical offices are ready for the change?

What is not clear about the monetary penalties is what is considered a discrete violation. I have read in some places that a violation is a single patient record being improperly disclosed. A reportable incident being five or more patient records being disclosed. Barlament's article does not draw any distinction here. If you take a typical sole practitioner, they could have in excess of 10,000 patients in their records. So even in a best case scenario of a breach of electronic health records, that is a reportable $100,000 fine. What if it's interpreted as per-patient? So 10,000 times that? Is the medical office just out of business at that point?

In 2009, there were a string of robberies in medical offices in Racine, WI. A dentist in Racine lost everything because he was doing all of his technology support himself. His computers, server, and safe that contained the backups were all stolen. He had no off-site backups. None of the data was encrypted. How do you recover from a loss like that? And what if a patient had filed lawsuit about breach of patient electronic medical records?

Medical offices need to be equally concerned about using any online storage facility for off-site backups of their data that they do not have direct control over. If the medical office has another facility and the data is replicated there, then that is fine assuming that proper security controls are in place. However, using something like Mozy or Carbonite is totally inappropriate and inadequate. You have no idea who has access to that data once it is uploaded to those servers.

Both Google and Microsoft are working on cloud services that would allow medical practitioners to upload and store medical data online. Given the fact that Google is the largest data aggregator worldwide and has repeatedly shown a lack of judgment in favor to customer privacy, I am opposed to their tool. I am also opposed to any online storage of medical records overall.

You can analyze how this is a problem by understanding the federal government terrorist watch list. The ACLU has an entire page of resources regarding this abomination of federal bureucracy and denier of civil rights. Over one million Americans are now on the terrorist watch list. Names can be added to this list by a variety of inaccurate methods and it is nearly impossible to get yourself off the list once you are on it. And the government uses this as a way to deny you due process and civil rights. The latest bit is a piece of legislation that would prevent you from owning a firearm if you are listed on the watch list even though you may have never been convicted of a felony. (S 1397 and HR 2159) The watch list is so inaccurate that a six year old boy scout is on the list.

So imagine this healthcare database the government wants doctors to use has an inaccuracy in it. Who do you call, and how many hours will it take to get the inaccuracy corrected if it even can be? Will you be misdiagnosed or even killed because of this inaccuracy? The bottom line is that doctors and the public need training in all of these areas to understand the multitude of problems associated with health data. Just as video conferencing is bringing training to students that would otherwise not have access to that information, video conferencing can be used to bring training on these subjects to medical practitioners and eventually to the public at large.

 

Linkedin