Federal Health Insurance Overhaul Magnifies Persistent Data Security Burdens, Says HHS Official
SAN FRANCISCO -- Revamping the health-insurance system adds to huge data security and privacy problems with making medical information electronic, an Obama administration official said Tuesday. The creation of health insurance exchanges under the federal Affordable Healthcare Act raises the stakes in government efforts “to move the health industry into the 20th century,” said Joy Pritts. She’s the chief privacy officer in the Department of Health and Human Services’ Office of the National Coordinator for Health Information Technology, which promotes the use of electronic health records and information exchange. She said advancing into the 21st century remains an aim down the road.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
"One of our biggest challenges right now is encryption,” Pritts said at the HealthSec ‘11 workshop held with the USENIX Security Symposium. “You would think” that the department’s exposing those breached on an online “wall of shame” (http://goo.gl/uFyQR) would be enough to motivate companies and other organizations to avoid bad publicity by encrypting patient data, she said. But the thinking is that “it’s just not worth it, considering the impact it has on your operational capabilities,” Pritts said. Her office is told that “encryption slows systems down to the point that they're not operational,” she said.
"Advanced persistent threats” are a booming security problem generally, Pritts said. The conventional wisdom is that these must be managed, because the network perimeter can’t be defended adequately, so the threats can’t be defeated, she said. But this is a highly troublesome strategy in relation to people’s expectations about the security of their medical information, she said.
Healthcare is considered “an ultralarge system which is almost unmanageable,” Pritts said, adding, “How do you assess risk” in an arena “so huge,” in which “you don’t know who all the players are?” She compared the field with “one of those Harry Potter maps” that “keep changing on a minute-by-minute basis."
Asked about the most unexpected development in her work, Pritts said, “I've found it somewhat surprising” how “things have evolved” in organizations’ relations with “business associates” under the Health Insurance Portability and Accountability Act. When care providers were required to restrict data use by partners, there was an assumption that providers would control handling of the information, she said. “In practice, that’s not how it’s shaking out.”