Tuesday, May 12, 2009

A vote in favor of electronic medical records (with caution)

Efforts to move medical records out of their antiquated paper files and into sleek new computer systems have gained great momentum in recent months. The Obama administration has pledged $17.2 billion in economic stimulus funds toward this goal. Supporters have hailed the benefits of speedier access to critical medical data and easier transfer of medical histories when a patient sees a new physician.

But amid this rush toward new technology, some doctors and several organizations such as Patient Privacy Rights have raised a yellow flag of caution. In this age of Internet hackers and lost laptops, just how secure, they ask, will these computerized medical records be? After all, it’s a lot easier for someone to waltz out of a hospital with a USB stick in their pocket containing 5,000 patient records, than with many boxes containing the equivalent paper records. Moving electronic records online can make them particularly vulnerable.

To some extent, these fears are justified. I have been studying the security of electronic medical files for about a year now, and it’s not the first time I’ve confronted the pros and cons of paper versus electronic records. Since 2003, my primary research has focused on the security of electronic voting systems. As a result of that work, I have concluded that the best way to ensure proper elections is to move from electronic to paper ballots.

Yet what is true for voting systems is not necessarily true for electronic medical records. The adversarial model in these two applications is completely different. In a voting system, all parties should be viewed as adversarial. Everyone has a stake in the outcome, and there is no reason to believe every software developer, election official, poll worker or voter will refrain from tampering with the process. That doesn’t mean these people are malicious. It just means that we need voting systems that can be trusted, even when the people associated with the process are corrupt.

Contrast that with the medical records scenario. Computerized system designers and builders have every reason to want their technology to be secure, and little or no incentive to undercut this. Vendors will sell more systems if their technology is highly secure. Hospital administrators will seek the safest systems to protect patient privacy and keep their institutions off the front pages and out of the courtroom. For patients, the benefits are obvious.

Protecting identifiable electronic medical records is easier than protecting anonymous votes in an election. And it is a manageable problem. That’s not to say that there will never be incidents where medical records are compromised. But with good design, proper care, appropriate procedures and of course sufficient funding, electronic medical records can be protected as well or even better than the paper versions.

Still, we need to be careful. There are many wrong ways to make this transition. If history is any indicator, unless a concerted effort is made to require proper protection, the new medical systems will be no better than the insecure voting machines that many states have purchased. When money flows from Washington, vendors tend to spring up out of nowhere. The ones who gain traction are the ones with the best sales teams, the glossiest brochures and the best connections, but not necessarily the most secure systems. This has happened over and over again in every industry.

We need to make sure that security standards, including evaluation and testing procedures, are established before the billions are spent. Computer security experts in academia, government and industry should all be engaged to establish criteria and evaluation methodologies. We need support from all of the relevant stakeholders, including privacy advocates, the medical establishment, vendors and the technical security community.

We are facing a golden opportunity to improve the lives of millions of Americans by providing computerized storage and access for medical records. We can reduce or eliminate redundancy, waste, unnecessary exams and procedures, and medical errors. And, we can do it without inordinate risks to individual privacy. Nevertheless, while electronic records appear to be our destiny, the privacy of those records will only be preserved if we are careful and do this right. There will be no second chances.