Patients worried about medical records going digital

Many Americans — 85% in a new survey — report having fears about the privacy of their records as more physician practices adopt EHRs.

By PAMELA LEWIS DOLAN, amednews staff. Posted Aug. 20, 2012.

It took some time to get a majority of physicians in the U.S. to agree that it would be beneficial to implement electronic health records in their practices. Now, a survey finds, the most skeptical audience for EHRs is patients.

A survey of more than 2,100 patients by Xerox found that only 26% want their medical records to be digital, down two percentage points from a year ago. Only 40% believe EHRs will result in better, more efficient care. And 85% expressed concern about digital records. Their main worries: privacy and security of their information.

When asked what, specifically, worries them about EHRs, respondents said they were concerned that their information could be stolen by a hacker (63%), the files could be lost, damaged or corrupted (50%), their personal information could be misused (51%), or a power outage or computer problem could prevent doctors from accessing their information (50%). Fifteen percent said they had no worries.

There are many things in medicine that patients tolerate but don’t necessarily like. If most physicians will be electronic soon anyway, some physicians may wonder why it’s important to convince their patients that EHRs are a good thing instead of just letting them learn to live with them.

As the health care system shifts from one that focuses on acute care and treating patients who are sick to one that promotes wellness, “We need the patients as active participants,” said Philip Payne, PhD, chair of the Ohio State University College of Medicine’s Dept. of Biomedical Informatics. The EHR is an important tool to engage patients, he said.

Despite the benefits an EHR might bring, major data breaches are announced on virtually a weekly basis. For example, in the summer of 2012, a computer containing the medical information of 2,500 patients from the Stanford (Calif.) Hospital & Clinics and the School of Medicine was reported stolen. In Connecticut, information on more than 7,461 VNA Healthcare patients and 2,097 Hartford Hospital patients was lost when a computer belonging to a data analysis vendor was stolen. Beth Israel Deaconess Medical Center in Boston announced that the health information of 3,900 patients was put at risk when a physician’s personal laptop was stolen.

How to give assurance

The main message physicians should be spreading to patients who are concerned about breaches is that “people do bad things, whether it’s in paper form or electronic form,” said Mary Griskewicz, senior director of ambulatory health information systems for the Healthcare Information and Management Systems Society.

Michael Hobaugh, MD, PhD, chief of medical staff at La Rabida Children’s Hospital in Chicago, said if patients express concerns about data safety, physicians can tell them that there are many safety features of an EHR that patients never had with paper.

“The biggest assurance that patients have regarding electronic medical records is that anytime anybody looks at something or prints something, there is a record of who did it,” Dr. Hobaugh said. “That was not true of paper charts.”

Christine Bechtel, vice president of the National Partnership for Women and Families, said a survey her organization conducted, similar to the one by Xerox, found respondents rating EHRs higher than paper across the board in various safety and quality measures. She said the survey, released in February, shows that even if patients worry about their own information, many are showing confidence in EHRs in general.

Griskewicz said physicians need to be educated on how and when to engage consumers when it comes to technology adoption. HIMSS launched the HIMSS eConnecting with Consumers Committee this year, whose focus is to provide physicians with tools and education surrounding patient engagement and technology.

Many patient concerns stem from the fact that the value of EHRs has not been made clear to patients, Payne said.

“We really have to figure out how we make the EHR a focal point of collaboration between patients and members of multidisciplinary care teams rather than just a thing that’s in the room that we have to use to document so we can bill,” he said.

What patients think about EHRs

A survey found that patients have concerns when it comes to electronic health records, mainly about risks to their private information.

63%: With EHRs my information could be stolen by a hacker.
51%: My personal information could be misused.
50%: Digital medical records could be lost, damaged or corrupted.
40%: Digital records mean better, more efficient care.
31%: I feel I am adequately informed about when and how my medical records are used.
26%: I want my records to be digital.
26%: EHRs have improved my interactions with my physician office.
24%: My doctor involved me in the conversion from paper to electronic.
21%: I expect EHRs to improve the quality of service I receive.
14%: I think my health care provider is technically savvy enough to use EHRs.

Source: Third annual electronic health records survey, Xerox, July

Hackers Encrypt Health Records And Hold Data For Ransom

By Jordan Robertson – Aug 10, 2012 12:00 PM CT

As more patient records go digital, a recent hacker attack on a small medical practice shows the big risks involved with electronic files.
The Surgeons of Lake County, a medical facility in the northern Illinois suburb of Libertyville, revealed last month that hackers had burrowed deeply into its computer network, infiltrating a server where e-mails and electronic medical records were stored, Bloomberg.com reported on its Tech Blog.
Unlike many other data breaches, the hackers made no attempt to keep their presence a secret. In fact, they all but fired a flare to announce the break-in, taking the extreme step of encrypting their illicit haul and posting a digital ransom note demanding payment for the password.
The doctors turned the server off and notified the authorities, refusing to pay.
“This story is so ironic — most people worry that their health records will be spread all over their local newspaper,” said Dorothy Glancy, a professor at Santa Clara University’s law school who specializes in digital privacy. “But in this case, the doctors — in fact, nobody — can access these records.”
The Surgeons of Lake County isn’t the first health care provider to be targeted by extortionists. The incident, which was spotted by privacy blogger Dissent Doe in a federal database of health-related breaches, showcases an unsettling new strain of opportunism that is emerging as criminals try to exploit the industry’s shift to digital medical records.

Data Breach

The attackers’ choice of tactics, particularly the use of encryption, indicates a level of sophistication and targeting that suggests they knew what they were doing, said Rick Kam, president of ID Experts, a Portland, Oregon-based company that makes data-breach prevention technology and specializes in health care.
Based on the number of practices moving to electronic health records, “many more” of these types of breaches should be expected, Kam wrote in an e-mail.
Until now, medical-data blackmail has been a niche crime, largely because of the difficulty and risk involved. Spam and online bank fraud are easier ways for fraudsters to make money.
One case involved Express Scripts (ESRX), the large prescription- drug benefits manager, and a threat it received in 2008. Someone sent the St. Louis-based company personal information on about 75 of its members, including identification numbers and prescription records, and demanded an unspecified sum. The company refused to pay, and eventually told 700,000 customers that their information could have been exposed.

Patient Confidentiality

In 2003 and 2004, health care facilities came under fire for outsourcing their transcription chores when several California hospitals were blackmailed by their own workers in India and Pakistan.
The spiraling cost of health care and lack of insurance for millions of people have made medical identity theft a growing risk. Security and privacy risks are also emerging with the creation of “health information exchanges,” vast databases that states are setting up to handle electronic medical records.
It’s unclear whether the Illinois surgical center’s records were backed up or have been recovered. The organization declined to comment.
“Safeguarding every patient’s personal information is a top priority at the Surgeons of Lake County,” Scott Otto, the center’s president, said in a statement. “We are devoting significant people and technological resources to help protect patient confidentiality.”
For all of the benefits of making health records electronic, this incident highlights a downside, said Santa Clara University’s Glancy.
“This is a warning bell,” she said. “Maybe they’re the canary in the coal mine that unpredictable things can happen to data once it’s digitized.”