Usually when we think of our personal health data being at risk, we think of things like dastardly hackers from far away countries or something far more mundane like a failure to have Health Insurance Portability and Accountability Act (HIPAA) protocols in place. While both of these examples may be worth some degree of worry, a new study brings to light a source of risk that few of us may have considered. This study, called “Workarounds to Computer Access in Healthcare Organizations: You Want My Password or a Dead Patient?,” is a potent reminder both of how cumbersome electronic health record (EHR) systems can be and why you AND your health care provider might choose to ignore digital protocols in favor of hands-on health care services.
As you might guess from the title of the study (and as is well summarized in a WSJ blog, investigators found that health professionals will ignore or “work around” digital protocols with some frequency in the interest of providing more efficient care. This news is in some ways shocking but otherwise seems totally unsurprising. On the plus side, providers care more about patient health than computer systems. On the minus side, we as a society are spending remarkable amounts of money to secure health care data, and this is not feeling like money well spent.
To be fair to the health workers at the heart of this study, these systems are quite cumbersome. They do not seem to be designed with the providers in mind. Data fields can vary from hospital to hospital and practice to practice. Even the idea behind the systems, to create a secure, comprehensive health record for each patient which would lead to better diagnoses, less duplication of testing and a reduction in prescription drug abuse, seems unserved by the status quo. Perhaps if the systems truly provided this value and were set up to be more user friendly, the cybersecurity violations described in the study as commonplace would instead be rare. In theory, we are moving towards a better system as EHRs must meet the meaningful use standards begun through the American Recovery and Reinvestment Act of 2009, as well as interoperability which may, if we are lucky, result in less variation among these systems and, therefore, greater ease of use so that providers aren’t saying: “You Want My Password or a Dead Patient?”