Healthcare in the United States is going digital, which brings both tremendous opportunities and security risks. Digital healthcare brings the promise of increased quality of care, reduced errors and reduced cost and overhead in the provision of care. Yet the United States lags other countries in the use of technology in healthcare records. Fewer than 10% of hospitals and 16% of doctors use electronic health records. This is about to change.
The stimulus act (American Recovery and Reinvestment Act of 2009) contains a Title IV entitled the Health Information Technology for Economic and Clinical Health Act (HITECH Act). The government has included more than $19 billion in direct funding as well as enticements (carrot) and regulatory controls (stick) in this part of the bill. It is likely that more healthcare reforms and digitization efforts will follow both in the general budget and in specific healthcare bills in the near future. On the technology innovation and vendor side an enormous amount of money is being poured into development of technologies and standards around Electronic Health Records (EHR). There is also a high likelihood of new tax incentives pushing for the use of EHRs in the provision of care.
All of this points to an explosion of technology in healthcare and more specifically in the digitization of medical records. With increased digitization, new privacy regulations and more integration between different provider systems bring new risks and an increased burden of regulatory compliance. For security professionals in healthcare this all represents both a tremendous opportunity for skills and career development and a whole load of new responsibilities and work.
Let's face it: a lot of the privacy and security we enjoy with respect to our medical records is not just a result of the Health Insurance Portability and Accountability Act -- it is a result of the enormous inconvenience imposed by mounds of paper. You can't hijack a fax transmission as easily as a file server. You can't steal all the records in a single sweep when they're in file cabinets, not file servers. Inconvenience buys us privacy. If medical records get digitized and standardized, encoded and transmitted then all of that inconvenience goes away. If we're not careful our privacy goes with it.
The benefits of healthcare digitization far outweigh the risks in my opinion. Not only can you expect an enormous reduction in cost at each point of care, you can also get enormous benefits from the exploration and aggregation of health information for clinical and epidemiological studies. But there is the rub, the problem word in the previous sentence: aggregation. Once records are digitized the incentives to aggregate and statistically analyze them are enormous. The potential societal benefits of statistical analysis revealing the efficacy of treatments, the impact of genes or environmental circumstances, the performance of individual doctors or hospitals are incredible. So aggregate we will, and if we don't carefully control our data we will end up with an epidemic of privacy violations to add to our epidemiological studies. With great power comes great responsibility. Regulators, healthcare providers and security professionals will have to rise to the task -- the benefits are too great to pass and the risks too horrible to ignore.