Monday, December 19, 2011

Maybe MAeHC can help teach the New York Times a thing or two.....

Today's New York Times has an article on a recent security incident that we experienced at MAeHC.  The reporter, Nicole Perlroth, does a pretty good job of bringing together different pieces of the story.  Even tries to give it some Bourne-like suspense -- I guess I'd allow Matt Damon to play me in the film version (though I would have to insist that he get in better shape first).

No story is perfect though, and this one had its share of limitations:

It didn't cite the blog post or the HISTalk Practice website that inspired the story and that accounted for much of the article's content.  OK, so I'm not a journalist, but this seems like a pretty shaky practice.  The storyline comes from the blog, not from the very short interview that I had with the reporter.  Furthermore, if my blog account had been an article in, say, Health Affairs, they would have cited both the article and the journal.  [Update Note:  I forwarded a link to this post to the New York Times and they have now added a link to my HISTalk blog post in the on-line version of their article.  Thank you NY Times for your responsiveness!]

The article notes that electronic breach reports have increased in recent years and while that is true, a closer look at the numbers reveals that that doesn't necessarily mean that there are more breaches.  There are 2 important subtleties behind this.  First, reporting requirements have increased so people have to report more now than they have in the past.  In addition, electronic systems have generally better ability to detect breaches in the first place.  This is not only due to technologies such as intrusion detection, user-based activity logging, etc etc, but also because physical devices are easier to track and manage than paper systems -- it may be easy to gloss over a few misplaced paper charts, but you can't hide the fact that you lost a laptop.  So, the fact that breach reports are up may just reflect better detection and reporting and not necessarily more breaches.

Second, the article suggests that electronic systems increase the risk of breaches.  As I explained to the reporter, I believe that electronic systems are more secure than paper/fax, but there is a trade-off in the type of risk that they introduce.  I liken this to the difference between auto accidents and plane accidents.  Auto accidents happen very frequently but with fairly contained consequences, whereas plane crashes are rare but can be disastrous.  The latest OCR report to Congress on breaches reports something like 25K small breaches (fewer than 500), a very large fraction of which are paper/fax incidents. 

Finally, I found it a little ironic, that while the NYT article itself is an important step toward educating the public about the real issues surrounding the loss of electronic patient information, it glossed over the steps we've taken to educate the industry – like writing the post that lead the Times to the story in the first place.  I think it was a bit of a missed opportunity to encourage organizations that have similar experiences to follow the path of full disclosure that we did.