Messageboard

One chief concern for us is the liability issues for health care providers accessing to upload or view patient confidential information through an Internet source such as CurrentCare.  It appears there is currently no good mechanism in place to indemnify the individual health care provider should a system-wide data breach occur, such as happened in Virginia where state-held patient health information was hacked and held for ransom (see: http://voices.washingtonpost.com/securityfix/2009/05/hackers_break_into_virginia_he.html ).  Attorney General oversight and Federal privacy laws are powerless to prevent or punish dedicated hackers residing in Russia or China.  National Public Radio broadcast a segment last month reporting that even the National Security Agency cannot guarantee that any part of the national computer infrastructure is safe from such attacks, including that of our nation’s military ( http://www.npr.org/templates/story/story.php?storyId=127411091

The RI Assembly must immediately legislate indemnification for providers to prevent severe economic losses due to lawsuits and Red Flag compliance issues (whether or not Red Flag compliance for medical practices actually becomes mandated by law).  Currently, it is impossible for providers to even buy insurance coverage to cover any such losses.  Any ‘Trust Agreement’ that we must sign should stipulate such indemnity to providers when electronic access is used in good faith. 

One of the driving concerns that led our practice to dump the Lifespan.asp hosting of our eClinicalWorks application and spend over $13,000 to bring in our own servers was this very vulnerability.  While individual servers connected to the Internet are likewise vulnerable, simple mathematics dictate that the large size of hospital system or governmental-run servers makes for much more inviting targets for such hacks.

Of course we utilize common methods to protect our systems such as robust firewalls and regularly updated antivirus software. We also isolate some of our connectivity to the Internet by utilizing separate computers not hosting our eHR system.

So the question is, what are other practices doing to confront these potential problems? Please avoid bureaucratic responses that do not address the concrete things we must do.