Patients at El Camino Hospital can expect easy-to-access medical health records and online hospital test results -- some of the perks of the hospital's new online medical record system that's under way.
El Camino, working with medical software company Epic Systems, is working to set up an online medical records database that will link the hospital's patients with millions of others in the Bay Area. The link-up will make it easier for neighboring hospital networks -- like Stanford and the Palo Alto Medical Foundation -- to tap into records from El Camino, including information on medications, allergies and health problems.
And amid recent controversies over hospitals' cyber-security and the major breach at Anthem Blue Cross earlier this year, El Camino Hospital officials say the move towards a digital system will be safe and secure, and patients won't have to worry about their personal information being compromised by identity thieves.
The new system, called iCare, will give patients the ability to look up their medical test results, schedule appointments, refill prescriptions and even fill out the lengthy pre-visit questionnaires, according to Deborah Muro, the iCare project director. It also means physicians outside of El Camino Hospital and the Epic system can access a read-only version of patient records, removing a long-standing communication barrier.
"It (meets) the challenges health care has moving from silo to silo, both within organizations and between organizations," said Greg Walton, chief information officer at El Camino Hospital.
The price tag of the project, expected to be $125 million, will in some ways bring the hospital up to speed with other hospitals in the area, according to Walton. He said Northern California has most of its major health care systems already hooked up to the Epic network with programs similar to iCare, which includes patient records for millions of Bay Area residents. About half of patients in the United States have an electronic record with Epic, according to the company's own statistics.
A big part of the cost of iCare comes from from paying the salaries of some 100 hospital employees that were pulled from their posts, either as physicians, nurses or pharmacists, to come work full-time on getting the medical record system up and running. Working out of the old main hospital building, they've been developing and designing the new system for almost a year. The system is expected to be 100 percent "built" and go into the testing phase this month, with Nov. 7 as the tentative date for going live, Muro said.
Hospital board member David Reeder called iCare a big commitment on the part of El Camino, involving all aspects of the hospital. He said staff can't be expected to do their normal jobs on top of working on iCare. Money spent on salaries for people working on the project have been rolled into the $125 million budget.
Reeder, who is one of two board members overseeing the iCare project, said the hospital will be heading into the "testing" phase next, which will include a rigorous process of testing and validation to make sure the system doesn't have any glitches when it goes online. Medications or mixed-up information about the patients, Reeder said, are a serious concern.
"We don't want to go online and get the wrong results," he said.
Threats to medical records
El Camino Hospital will be firing up its new medical records network and hook up to Epic's database at a time when hackers appear to have their crosshairs set squarely on hospitals -- institutions notorious for being vulnerable to cyber attacks.
Earlier this year, it was revealed that Anthem Blue Cross was hit by a "very sophisticated external cyber-attack," according to a message to customers from Joseph Swedish, Anthem Blue Cross' president and CEO. The attack involved a breach of a database containing the personal information of about 80 million Anthem customers and employees.
Some of the attacks in recent years haven't been so sophisticated. In November 2011, for example, Sutter Health had a security breach when a password-protected, unencrypted desktop computer was stolen from one of its Sacramento offices, containing data on some 3.3 million patients, according to a Sutter Health press release. The database included personal information including medical record number and email address, but did not include Social Security numbers.
The FBI released a notification in April last year to health care providers warning that "cyber intrusions" are likely to increase as health records continue to transition from paper to digital. What's more, the notification goes on to say that hospitals have lax cyber-security standards, and there's a higher financial payout for hackers looking to sell medical information on the black market.
Candid Wueest, a software engineer for Symantec's security response team, said there's a definite and eminent problem with security among electronic medical record systems, and that unlike financial institutions -- which have had so many security breaches that they have now steeled themselves against attackers -- hospitals have yet to catch up with the higher security standards.
"Attackers are moving to the low-hanging fruit," Wueest said.
The problem is that hospitals store much of the same information as banks do, like credit card information, as well as the added information from medical insurance and medical records, Wueest said. That means identity theft can come with requests for medical benefits, pills and even medical equipment, he said, and it takes a whole lot longer to detect it.
"Usually if your credit card is billed for something you haven't bought you can find out pretty quick," Wueest said. "I'm not sure if it's that easy to prove you didn't get those prescription glasses."
As a result, it's far more lucrative for hackers to steal medical records, which are going for anywhere from $20 to $50 a piece on the black market -- about ten times more than credit card information, Wueest said.
"Medical records for identity theft can be useful possibly for months, rather than financial (information) which gets locked out pretty quickly," Wueest said.
Solutions for increased security include two-factor authentication, where users have to log in using a password in addition to an authentication code that is only valid for about 30 seconds. Wueest said encrypting connections and even encrypting the database itself can also be useful tools for keeping information secure. But even with encryption, he said, it's possible for hackers to bypass these measures if hospitals don't stay up-to-date and prevent the use of known bugs, like the Heartbleed security bug that was discovered last year.
"With the right program you could open (the database) and read it like an Excel spreadsheet," Wueest said.
Walton said El Camino Hospital is rolling out iCare with security and privacy as a "top priority," using specific security standards called the HITRUST Common Security Framework, which helps the hospital bring its security level up to government regulations and standards. He said the system has been audited, and the hospital has an in-house security team to monitor and update the system.
Reeder said he is comfortable with the level of security iCare has, but emphasized that the hospital has to keep up the pace.
"It's a constant exercise in making sure we keep up with all the newest threats," Reeder said.