Do you know where all of your electronic health records reside? Do you know whether they are safe?
In answering the first question, you probably think about your primary care physician, your local hospital, specialty medical providers and ancillary providers such as optometrists or your dental practice. The answer to the second question, of course, is much harder to discern but vitally important because the information contained within a medical record is often sufficient to commit identity fraud.
One area of electronic health record (EHR) collection and sharing you probably overlooked when compiling your list encompasses clinical data registries, often used for research purposes to investigate conditions, medical procedures, demographic groups and more. If a medical provider participates in a registry, you likely signed up to participate when filling out those new patient forms related to data collection, protection and dissemination. Did you read them?
Although critically important for research purposes and the categorization of diseases, clinical data registries fly under the radar in terms of privacy and security issues. They face much less scrutiny than more well-known medical data repositories such as EHRs. If anything, clinical data registries provide more chance for breaches – either unintentional or as the result of a hacker or other bad actor. That’s why clinical data registries should be certified/accredited by independent organizations to safeguard protected health information as it resides in registries and moves among those collecting the data and those using it for research.
Although rare, data breaches among clinical data registries do occur. Unauthorized disclosure of an estimated 100,000 records of patient data supplied to the American College of Cardiology (ACC) through a national cardiovascular data registry was discovered in December 2015. The incident occurred in 2009 or 2010 when ACC contracted with a third party to revamp the registry, providing 250 tables of fabricated patient data to be used for testing. However, one of the tables contained real patient data, including names, dates of birth, Social Security numbers and other identifying data.
It took five-plus years to uncover the incident. A search of the breach portal maintained by the U.S. Department of Health and Human Services Office for Civil Rights shows no direct listing for the ACC breach. Of the 1,400 entities that were reporting data to the ACC, only two show up in a search of the American College of Cardiology.
The association had introduced new security controls before the disclosure was found. A spokeswoman said ACC continues “to update security processes and monitoring to ensure best practices are followed for protecting patient data.”
Registries are facing several challenges regarding best practices which could put the security of patient data at risk. Data collection still rarely occurs directly from an EHR because of technical difficulties and costs associated with linking various IT infrastructure, but interoperability is slowly improving. Lack of integration means lots of manual data entry and manipulation that can be prone to error.
Moving registries to the cloud does have some advantages for the collecting organization, but security concerns can remain. Beyond the significant requirements for the physical and electronic security of data, other challenges can include how controls are handled, assigning roles-based access rights and inadequate consents to collect/disseminate protected health information.
Data security includes complying with HIPAA privacy and security regulations, Institutional Review Board guidance and the Federal Policy for the Protection of Human Subjects, better known as the Common Rule. With the addition of technology interfaces that allow data to move among IT systems, privileging and security become even more important, because the weakest link can be used to exploit the entire system.
The most-famous example of this type of attack is the 2013 Target breach of 110 million credit and debit card users who purchased from the ubiquitous retailer during the hack. How did the bad guys get in? Through a third-party vendor who had peripheral access to Target’s IT systems.
That’s why data registries should adhere to a core set of requirements for compliance with privacy and security standards. Such accreditation would review functions of the registry, including structure, clinical integration, compliance monitoring, interoperability, reporting and industry certification/accreditation. It should closely monitor how information is passed among databases to ensure that privacy and security are maintained during the exchange. It should also serve as a baseline standard for participating organizations to assure compliance with federal privacy, security, and regulatory guidelines.
Clinical data registries play a vital role in the health data ecosystem and in the future of healthcare. Information contained in registries is helping researchers make new discoveries and giving patients access to cutting-edge treatments and trials.
Hacking, phishing attempts and ransomware continue to proliferate, and healthcare remains a target industry. That’s why clinical data registries should adhere to strict standards to ensure privacy and while maintaining high standards for data exchange that power their important work.