WASHINGTON - In the wake of high-profile health-care data breaches in Minnesota this year, Sen. Al Franken on Wednesday examined how sensitive data can be better protected as more of it moves to the "wild, wild West" of the Internet.
Thefts of laptops containing patient data from Fairview and North Memorial hospitals earlier this year were just a small slice of health data thefts in the United States. In a 15-month span, the Department of Health and Human Services (HHS) found that more than 50 laptops were stolen from hospitals, clinics and medical centers.
Kari Myrold, privacy officer at Hennepin County Medical Center, testified on Wednesday before the Senate subcommittee on technology, privacy and the law about how her hospital has been a pioneer in the use of electronic records while working to keep sensitive information safe.
No matter how strong the safeguards, Myrold said, there is always a risk. "I think every organization is a keystroke away from the same kind of thing [as Fairview]," she said after the hearing. "You do the best that you can."
In the Fairview case, the breach occurred after a consultant failed to encrypt patient data even though Fairview had said to do so, Myrold said.
Franken, the Minnesota Democrat who is chairman of the subcommittee, praised the use of electronic records to track patients after the Interstate 35W bridge collapse. Congress passed a law in 2009 to give doctors and hospitals financial incentives for digitizing records. But, Franken said, "The same wonderful technology that has revolutionized patient health records has also created very real and very serious privacy challenges."
Franken and data advocates complained that HHS had not put in place stiffened penalties and enforcement allowed under the legislation and said few cases have been prosecuted. "The wild, wild West for data is not an environment of trust," said Deven McGraw of the Center for Democracy and Technology.
Myrold said that when it comes to data encryption, many health companies "aren't taking it seriously. Until we actually get those final rules, knowing that they actually will be enforced, we probably will not see more compliance."
