Breach, Data Security, Incident Response, Network Security, TDR

Stimulus bill includes protection for digital health care records

A portion of the $818 billion stimulus bill that was passed this week by the U.S. House calls for computerizing all health records in five years, but the legislation also contains stringent privacy and security controls to protect this online data.

Experts said these measures would complement the Health Insurance Portability and Accountability Act (HIPAA), approved in 1996, by bringing privacy and security regulations more in line with the digital age. That's an important move, considering the digitization of health records is likely to spur increased attempts at malicious intrusion.

"It closes the gap that advancement of technology created," Pam Dixon, executive director of the World Privacy Forum, a nonprofit research group, told on Friday. "It expands HIPAA in a number of ways and updates it and modernizes it."

Part of the stimulus bill dealing with new health information technology includes provisions for breach notification, enforcement, audit trails and encryption. It also prohibits the sale of medical information.

However, the legislation fails to reference medical identity theft, a growing problem that affects an estimated quarter of a million people each year, Dixon said.

Criminals who gain unauthorized access to patient data can, for example, alter the records to falsely show that a victim has a certain disease, she said. They then can bill insurance companies for expensive drugs never prescribed or treatments never given.

"If you have a health care file and you're a criminal, you can make millions of dollars off fake billing," she said. "But when you change someone's file, a whole host of consequences kicks in."

Those include the possibility that because a patient's record has been altered, a doctor may make a misdiagnosis or perform an unnecessary procedure, she said.

To combat medical ID theft, the bill should require a more comprehensive audit trail, so patients can learn any time their records have been used -- not just when their information has been wrongfully disclosed.

Phil Neray, vice president of marketing at data security firm Guardium, said that because patient records will be stored in the cloud, they will attract the ire of hackers. Celebrities and politicians could be targeted, much like Britney Spears' records were last year by hospital workers.

Controls such as monitoring must be required and enforced, Neray added.

"In order to make the information widely accessible to doctors, insurance companies and patients, they're going to have to build web interfaces," he told "Once you've done that, you've essentially created a tunnel into the database."

Sen. Patrick Leahy, D-Vt., chairman of the Senate Judiciary Committee, held a hearing Tuesday to investigate methods of protecting health care privacy.

"Without adequate safeguards to protect health privacy, many Americans will simply not seek the medical treatment that they need for fear that their sensitive health information will be disclosed without their consent," he said in a statement. "And those who do seek medical treatment assume the risk of data security breaches without their consent."

The Senate has not yet voted on the stimulus bill.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.