We don't know what we don't know

Two friends recently sent me emails alerting me to security breaches in the health care industry. Since MAeHC is launching health information exchanges in 3 communities beginning in early 2007, we're very interested in such news.

One breach was a theft of back-up tapes containing medical claims of 130,000 Aetna subscribers (my health insurer!). The other breach came from the theft of a laptop with medical information of 38,000 Kaiser Permanente members in Denver.

I found out about these within the same week (they actually occurred about 1 month apart), and it got me wondering about the incidence of such events generally, and whether it might be getting worse as more data becomes electronic.

There's been a steady drumbeat of news on such breaches since the infamous ChoicePoint blunder in 2005, and the US recently crossed the dubious milestone of 100 million security breach victims since the counting began with Choicepoint.

The best (and most accessible) data I'm aware of is maintained by the Privacy Rights Clearinghouse, which tracks breaches on its website. My quick-and-dirty assessment of the data on the website suggests the following:

The frequency of all reported breaches is increasing. 413 reported breaches in the last 2 years -- 106 in 2005 and 307 in 2006.

Health care providers are a very small part of the problem. Sources of breaches breaks down as follows -- non-clinical commercial enterprises (37%), federal/state/local government (29%), universities (25%), hospitals and ambulatory providers (9%).

Breaches involving medical data may be increasing. 16% (69) of these breaches involved health data, but this share almost doubled over time, from 11% of breaches in 2005 to 19% in 2006.

Most medical breaches are committed by hospitals and the government. Hospitals accounted for most medical breaches (39%), followed by government (20%), health insurers (13%), physician offices (10%), and universities and ancillary services (9% each).

Big breaches involve institutions that have a lot of data. The biggest breaches by far in terms of number individuals affected have been by banks and by the government, which one would expect since they are the institutions that have a lot of data.

Most reported breaches do not seem to involve theft of data for the data itself, but rather, they involve theft or improper destruction of files, tapes, and computers that happen to have private data in them. Not to dismiss the importance of breaches, but the actual damages resulting from these breaches are likely much much smaller than the gross numbers suggest.

There are all sorts of cautions with making too much of this data: is this better reporting or higher frequency of actual breaches? what other types of breaches never get reported? is it higher incidence as well as higher frequency? is the reporting consistent across sectors and over time? are the differences statistically significant (both across sectors and over time)?

Assuming the data are somewhat representative of reality, they seem to highlight some important points for EHRs and health information exchange.

First, the world is full of data repositories. Financial institutions, the government, universities, hospitals, health insurers -- all hold huge stores of our personal information already. The discussion of whether to have a repository in an HIE needs to be had in that context.

Second, what's not reported is at least as important as what is. MAeHC's experience with health care providers is that bigger organizations like insurers and hospitals have a very small frequency of big data spills, which get reported, and small organizations such as physician offices have a high frequency of tiny data spills, which never get reported. Also, it's pretty well known that one of the biggest sources of breaches are insiders, who are often found out but are not publicly reported (for example, this week's Information Week article, the ongoing problem of medical staff trying to peep at VIP's medical records, and the now well-known story of the Diva of Disgruntled who posted confidential information of Kaiser Permanente patients on-line).

Third, breaches seem to be committed by organizations of all sizes and levels of sophistication. Physician offices -- as they become more interconnected with each other and with existing repositories of data -- could add many more chinks to the health data security armor. This isn't because they're irresponsible, it's because they don't have the staff or experience to even know how to address it.

For example, how many physician offices have already gone to Staples, bought a $30 Linksys box, and set up a wireless network that they don't realize is akin to leaving their medical charts in the parking lot in front of their office? How many are remotely accessing their computers using retail products and services that don't have industry-standard authentication and encryption? They haven't really had to worry about all of this up until now, because they're protected by the high friction of exchanging paper records -- the very same friction, by the way, that prevents huge improvements in quality, safety, and cost of care.

We need to get rid of this friction, of course, because the benefits are so huge, but it has to be done under some type of policy and management umbrella that doesn't undermine security. HIEs can play a very beneficial role in this regard, because they can provide the policies, processes, staffing, experience, and technology to bring physicians "onto the grid" in a way that protects everyone's interests.