Concerns relating to use of EHR in India
The worries relating to use of electronic health records anywhere in the world relate to security of personal or confidential information. A great deal of effort and money is understandably spent on high-tech solutions such as end to end encryption for good reasons. Yet, HIPPA compliance or similar regulation does not start or end with encryption.
The commonest data breaches of HIPPA type data protection regulation is not from IT failures and hackers or ransomware but outside of the remits and bounds of IT infrastructure. Let’s take a look at typical breaches that are usually unrelated to the EHR Application per se.
- Doctor / Nurse or similar sharing information during an appointment with another relative or professional without consent is a breach of data protection laws.
- Leaving Laptops or computers unprotected, insecure or not password protecting them.
- Sharing log-in and passwords across staff
- Using outdated operating systems and antivirus programmes on your machines and networks
- Poor policies and procedures for managing theft and loss of equipment leading to prolonged period of vulnerability of data breaches
Are Traditional Paper Based Health Records more secure than cloud based EHR?
The answer is a straightforward ‘no’. Here’s why –
- How secure is the snail mail sent by normal post if reports and confidential information was being sent through it?
- If you ask your patients to secure their paper records, how likely are they to lose it?
- If you use free email accounts and non-encrypted fax, is the data any more secure than a cloud based secure system?
- How easy is it for someone to access the hospitals own servers compared to access to a server locations for an application maintained by a ISO-27001 accredited provider such as AWS or Google whose servers could one could choose to from regions across the globe?
EHR Legislation should be clear about where the buck stops:
Importantly, as a health provider and a data processor, one needs to be seen to be doing their utmost to ensure security of data and information within reason (i.e. in keeping with the size of business and fees charged to patients). What is important is for the legislation to not scapegoat and penalise healthcare providers for data breaches they are not responsible for. If data has been kept secure in the best possible way, using reasonable means and it is hacked, the provider is as much a victim as the patient/s. The law should focus on getting the culprits to justice rather than seeking heavy fines from providers as this in itself will create significant barriers to use of IT innovation and EHR within the Indian context.