ObamaCare reg on digital patient records raises security concerns

A provision in ObamaCare requiring medical providers to switch from paper patient charts to electronic records is intended to reduce costs and improve care. But privacy advocates fear the transition is too fast for security measures to keep pace.

"The thing I worry about is not that we are doing it, but that we're doing it without the right safeguards," said Lee Tien, a senior staff attorney with the Electronic Frontier Foundation. "We have been giving (medical providers) incentives to move into the electronic-health-records era. But we haven't been giving them enough guidance on how they're supposed to do it."

Tien is concerned more specifically with the timeline outpacing privacy laws that keep pharmaceutical companies and other entities outside hospitals and doctor's offices from exploiting the information for commercial use.

"Like any other kind of customer data, it gets bought and sold and you have no idea where it went," Tien said.

And cyber-security experts say consolidating vast amounts of patient information in large databases creates a big target for high-tech thieves, domestically and abroad.

Daimon Geopfert -- a security and privacy expert with the McGladrey consulting group -- compares the situation to a group of banks with tunnels to the same vault.

"The security of that master vault, in many cases, is as insecure as the least secure of those banks," he said.

While advanced attacks do occur, Geopfert said, databases commonly encounter breaches caused by a single employee inadvertently exposing a computer to the same type of malicious software, or "malware," those everyday users routinely encounter through their daily Internet use.

The malware can go unnoticed for months as it sends spam emails, infecting other computers on the system. And once the hackers realize they've infiltrated a hospital or doctor's office, patient records become an attractive target, according to Geopfert.

"A lot of the breaches we run into start from something very trivial," he said.

Though banks, retailers and consumers are familiar with the risks of fraud, the detailed personal information in patient records raises the concept of identity theft to a whole new level, said Steve Vinsik, a vice president and cyber security expert with Unisys.

"If my credit card information is compromised, I can get a new credit card and change that information," he argued. "I can't change my Social Security number. I can't change my birth date or medical history."

The concern is that once armed with highly specific personal information, identity thieves are able to commit fraud or apply for credit in that person's name over and over again.

However, some physicians argue electronic records allow for privacy measures that would be impossible with paper documents.

"The added security that you get with an electronic health record is that each individual health care team member within the organization will have access only to that data that is needed for them to take care of the patient," said Dr. Thomas Gearhard, a family physician and board member with Wellstar, a metro Atlanta hospital system that is in the process of transitioning to electronic health records.

He also said the secure sharing of digital records will improve patient care over the current system, in which individual physicians and practices maintain separate paper charts.

"We have a tremendous amount of information about our patients," Gearhard said. "But the problem is that information is not easily accessible to everyone on the patient care team -- including the most important part of the patient team, the patient themselves."

Legislation included in the 2009 federal stimulus package requires hospitals and medical practices to begin using electronic health records by 2015. Republican senators are voicing concerns the timeframe may be too ambitious for some providers.

Seventeen of them including Sens. Lamar Alexander, of Tennessee, and John Thune, of South Dakota, recently sent a letter to Health and Human Services Secretary Kathleen Sebelius requesting a one-year extension for health-care providers to upgrade their technology for electronic records.

In the letter, the senators claim the current schedule "may further widen the digital divide for small and rural providers who lack the resources of large practices and may not be vendors' top priorities."

Fox News' David Lewkowict contributed to this story.