By MICHAEL GERSTEIN
Capital News Service
LANSING – Many hospitals have already swapped old paper documents for electronic records to slash administration costs and improve health care.
But with more hospitals switching to digital filing, concern is growing among health and technology professionals that the push for efficiency and lower costs will open the door to malicious attacks from cyberthieves searching for valuable information.
Yet there have been few known Michigan cases of medical information stolen by unauthorized people, experts say.
“We haven’t really seen any that we’re aware of,” Colin Ford said of privacy breaches. He is the director of state and government affairs at the Michigan State Medical Society.
The U.S. Department of Health and Human Services (HHS), which records data from incidents affecting more than 500 people, shows only two breaches of medical records in Michigan.
In 2010, a Blue Cross Blue Shield network server was hacked into, affecting the records of more than 2,979 individuals.
In 2012, a laptop containing University of Michigan Health System records was stolen, a theft that affected more than 4,000 individuals.
The HHS doesn’t specify the exact meaning of the word “affected.”
Other states have experienced numerous breaches.
For example, data from the Privacy Rights Clearinghouse — a San Diego-based nonprofit that compiles information on privacy breaches — said that since Jan. 1, 2012, there were 96 reported breaches of medical records across the nation, whether by unintended disclosure, insider information or malicious hacking. The data is updated every two days.
And since 2005, the number of reported cases every year has gone up. The majority of the cases took place in California, according to Clearinghouse data.
Of those cases, eight happened in the last month and a half.
It’s possible that there were many more cases in Michigan that were not made public, says Tena Friery, the research director for the nonprofit group.
“Keep in mind that there are only certain breaches that will appear,” she said. “There may be other data breaches that aren’t required to be reported there.”
Alex Chaveriat, the lead specialist for DEF Security, a Livonia company that tests web security for Michigan hospitals, says he knows of hospitals’ records being hacked. His company has worked with those institutions to secure their networks, but he said he couldn’t disclose which clients they are.
Friery said that while the number of medical privacy breaches is going up every year, it’s unclear if the cases are actually rising.
Because of more stringent federal privacy law, incidents that previously would have been swept under the rug are now being reported, she said.
Yet there are worries within the medical field.
John Bizon, president of the medical society, said “I have some concerns with centralizing those records and maintaining privacy.” He was speaking on his own behalf.
The goal of many hospitals is to eventually have all medical records accessible in a national database, making it easier for physicians and patients to view their records.
A primary anxiety is that swapping paper for online records will make it easier for crooks to find financial information, Bizon said.
But experts like the society’s Ford say that beyond gleaning financial information, social security numbers and credit card numbers, cybertheives could use patients records for other, nonbenevolent purposes.
For example, marketers could peddle their products to people based on medical histories, employers could look into records of mental health treatment and life insurance companies could check for past health problems — thus potentially raising insurance costs for some policy holding individuals, Ford said.
Despite the risk of leaks, many experts still support the idea of a centralized medical database.
Allen Goodman, a health economist at Wayne State University, says it would allow easier access to medical records for both doctors and patients, in turn bolstering accuracy and efficiency.
And it has other benefits, he said.
“It saves extraordinary costs. I think that it’s an idea whose time came a long time ago.”
Dave Parks, who oversees the information services department for Three Rivers Health, which has ties to Borgess Health in Marshall, says the hospital takes many precautions to ensure the security of patients’ records. But he understands the danger of a breach.
“I read about it all the time, and it scares me.”
By MICHAEL GERSTEIN