Solving patient-data breaches starts with human solutions

  • Article

Posted By Valerie Olague
Americas Business Group Lead

You hear or read about it almost every day: Patient healthcare data breaches involving thousands, even hundreds of thousands of patient records. It can happen in hospitals, physicians’ offices, research centers and nearly everywhere patient data records are held. As a consumer of healthcare, I certainly get nervous with every new article, wondering “Who has access to my medical information?”

Is the problem with the software systems? In some cases, yes. For example, I recently read how some free mobile health applications sell user information to advertisers. As a marketer, I can see some potential user benefits to this.  For one, if I upload information indicating I have a bad cold and within an hour I get a coupon for free nasal spray, that’s not so bad. But what about having a deeply personal medical issue and suddenly your name is made available to every company that wants to profit from your illness?  Picture a phone call while eating dinner with the family at home and your child picks up the phone to hear a pre-recorded message on the advantages of Viagra. That’s not so good.

Thanks to the Patient Protection and the Affordable Care Act (PPACA), I don’t have to worry about being denied insurance due to a pre-existing illness if I decided to leave my job. But that doesn’t mean my healthcare records should be easily available to insurance companies … or to advertisers. The PPACA also includes a new mandate for Electronic Medical Records (EMR) systems that is set to take effect in 2014. Healthcare providers are now attempting to get these systems implemented before the deadline and outside of cost, security of patient data is high on the list for the selection process. Some companies don’t trust larger EMR and EHR software vendors and thus try to write the systems themselves. The Pentagon has already spent five years and more than $1 billion trying to do just this but found it was a lot harder than they thought.

There are many EMR and Electronic Health Records (EHR) software vendors that are highly rated for their solutions and we partner with many of these companies to better serve our joint customers. But in many of my experiences, the biggest issue isn’t the software. It’s the people and processes. As a marketer in Microsoft, there are processes and work flows around handling customer Personal Identifiable Information (PII). This includes regular communications and training for the marketing teams on both what to do and what not to do with this data. Many healthcare providers would benefit by implementing broad training and processes designed to reduce the “people errors” that occur within their healthcare organizations. Some of them are quite easy to remember. 

Physicians shouldn’t share passwords and sign-in information to others in his or her work group (receptionists, researchers, assistants) because they are too busy to update records. They also shouldn’t copy PII onto USB drives. Ever. That way if, as an example, you leave your briefcase behind in a coffee shop or taxi at least you won’t breach your hospital’s entire diabetes patient records.

Yes, sometimes we expect technology to take over for common sense. But an awful lot of the time, these user errors breach more information into the public than security breaches of the software. So if you are evaluating EMR and EHR software, don’t forget the training and processes for your employees and staff.  Search on Bing for “PII training” and you’ll see a number of training - both in person and online - courses available. Don’t skip this step!