November 22, 2010

Again: Why Is It You Don't Protect My Health Data?

Why do health plans and providers refuse to secure sensitive data when encrypting it costs nothing at all?


According to a study out of HHS that tracks healthcare data breaches, laptop computer theft was the most prevalent cause of data theft, involved in 24% of breaches. Desktop computers accounted for 16% of the breaches. Physical security is cited as an issue; had computers been kept behind locked doors, fewer would have been stolen. But that's just silly. You can't be locking and unlocking office doors all day long, and keeping a laptop in a locked room is sort of not the whole point of a portable computer.

So, why wasn't the data encrypted? "Ah," you say, "Let me explain our reasons: (1) encryption isn't really secure, (2) it costs money and wastes my time, (3) difficult to administer in an organization, and (4) I could be forced to type in my password at gunpoint."

Well, (1), wrong. Encryption is really secure; the chances of anyone being able to break modern layered encryption are somewhere between zero and non-existent* (except for pure random chance, unfortunately, like when they guess your password is hGRw5k9oBn28, or Let's1andallGo(straight)2Shaneequah'sHouse). Despite what the movies would have you believe, random strings and big long phrases with numbers and punctuation are easy to remember, but astronomically difficult to guess, even using brute force cracking software. ILoveMyCat isn't.

And, (2), wrong. Once setup on a laptop, an "encrypted volume" is just like another hard drive, and to use data on it you simply type in a password. No wasted time (oh, well, alright, however long it takes you to type in a handful of characters -- how bad are your keyboarding skills?).

And, (3), wrong. Are you just OK with losing my data, or is work too hard for you? And that old saw about not being able to administer open source software is inapplicable. Who cares if an admin can tweak and fiddle with the copies of copies of copies of redundantly off-site backed-up data that some lower-down has on his laptop?

And, (4), wrong again. The fear of being held at gunpoint while you type in a password for a file your attacker can see on your computer is simply a waste of good adrenaline. Modern encryption software provides full deniability, such that even the sensitive files themselves are invisible; which is to say, they are hidden encrypted inside another file, one that opens to reveal some non-sensitive content when you use one password, and the sensitive stuff when you use another password. Unless the attacker can see inside your head, he doesn't know the data is even there.

And it's free. Yup. Free, open source, downloadable, and you can have it on your laptop and running beautifully in minutes. We don't have any connection with the product, but we've been using it for years. It's called TrueCrypt. Setup took all of 15 minutes. Five years ago. If you don't use it and you lose my healthcare data, I'm going to be really ticked.

Okay, end of rant. Until the next stupid data breach.

*Alright, let's just say that the odds against are so unfavorable that even the most seasoned hackers won't take the bet.

November 3, 2010

Call for CMS to Release Tax Number Data

The NPI Final Rule called for CMS to establish a system that would assign a National Provider Identifier (NPI) number to essentially every healthcare provider in the U.S. (HIPAA "covered entities"): now more than 3 million providers and growing. Great. But it was years before CMS released that data for the industry to use. CarePrecise personnel were at the forefront even back then, calling for CMS to release the data. If necessary, we were ready to fight for it, filing our own request under the Freedom of Information Act (FOIA). Federal agencies can't keep such kinds of data from the public. It's the law. CMS eventually looked at FOIA, and at their provider data, and decided that, sure enough, they were going to have to release it. We and our clients were ecstatic; now the industry would be able to produce the complex crosswalks necessary to actually achieve the efficiencies promised by the Final Rule.

Hurray... except CMS decided not to release one of the most useful data points of all. A provider's federal tax number is hardly a private number. Businesses have to give their tax number on every imaginable type of transaction. Employees see the employer's number on their W-2s. CMS's excuse was that sole proprietors and pretty much all individual practitioners would have to give their Social Security Number, or that busy doctors might type in the SSN in the wrong spot. Fair enough, but, as everyone who works with data knows, it's a piece of cake to parse a tax number field to determine if the number is a SSN or a business tax number.In fact, that's just exactly what CMS does in the Other ID fields of the NPPES (National Plan and Provider Enumeration System) database, replacing 000-00-0000 with a string of equals signs.

Instead of just redacting the SSNs, CMS decided it was best just to wipe clean the complete Employer Identification Number (EIN) field -- just in case some uppity docs got... uppity. Many of us have been hoping that CMS would revisit the issue of this gaping hole in the provider data, but it seems that the issue is to be ignored so that it will just go away.

So, here we are, once again, years into it, asking CMS to release non-SSN tax numbers/EINs so that we -- health systems and health plans large and small, clearinghouses, HIT vendors, medical billing and coding vendors -- can make this data do what it was intended to do for healthcare and for the taxpayers.

November 2, 2010

Federal Physician Comparison Website Coming

CMS has until January 1 to create the new PhysicianCompare.hhs.gov site, intended to make it possible to lookup info on your doctor and compare her quality to that of others. Like HospitalCompare.hhs.gov launched recently, the notion is that these sites will create the incentive for providers to give better care, ultimately helping to control healthcare costs. As required by the Affordable Care Act, CMS has two years to get the site serving up quality data on docs.

Not only must quality data be available to help patients make smarter healthcare purchasing decisions, but the Act requires that the site help physicians to actively use the information to improve quality.

At a five-hour-long Town Hall last week, CMS gathered doctors, hospitals, employers and anyone else who wanted to participate with the goal of getting input on what the site should contain. The outspoken participants told them, among many other things:
  • Physician's sex, race and age
  • Languages spoken
  • Office hours
  • Medical degrees and schools
  • Hospitals where they have privileges
  • How long in practice
  • Health networks they belong to
  • Awards received
  • Community service work/care for the poor
Then, of course, there's the quality data coming in 2013. What will that look like? Will physicians who serve sicker populations appear to produce poorer results, or will there be some way to "risk-adjust" so that patients can make apples-to-apples comparisons?

And here's a big one: Should physicians' charges be disclosed? How can you make a value decision without prices? Doctors who charge more might offer additional services; what about house calls, or no-wait appointments, or a Personal Health Record (PHR) portal -- should this information be available?

Naturally, the AMA is pushing back a bit. AMA president James Rohack, M.D. told HealthLeaders Media last week that the AMA's concern is that "individual doctor-level data right now is not ready for prime time, especially in complex situations. The attribution of who's really responsible for that care is not worked out." Dr. Rohack said that doctors aren't particularly afraid of being graded: "The reason we became doctors was because we got good grades."

These and many more questions remain to be resolved even before determining exactly what data will be collected -- a step that is mandated to begin in January of 2012. But pulling away the veil of mystery surrounding the work of the physician is long overdue and worthy of the gargantuan task facing CMS. Unless a wing nut Congress repeals or guts the law within the next two years, we will finally be able to look under the hood before making some of the most important and most costly buying decisions of our lives.