Data Breaches and Why Electronic Health Records Are Still Better
January 30, 2014

When electronic health records were first introduced to behavioral healthcare, there was a significant amount of skepticism about whether we could trust these machines with this important and confidential information. We adjusted to using electronic records systems but many of us believed that the servers on which the data resided had to be on-site. Now, we think nothing of storing confidential information in “the cloud”. We are being encouraged to interoperate with other healthcare providers especially those in primary care. The data that is stored can also be shared and analyzed in large data warehouses with the promise of mining this data to find better and better ways to help people. We’ve come a long way.But this last round of data breaches have given me pause about this whole electronic data stuff especially in regards to the behavioral healthcare industry. We have known for a long time that no system is impenetrable. But seeing the breaches that have occurred at Target and Neiman Marcus and the Snowdon disclosures about the NSA tracking us all, has caused me to ask, “should we be putting behavioral healthcare data online either discreetly or in aggregated form?”I have been a pretty strong supporter of “Big Data” and the use of data warehouses for our industry. In spite of my new-found reservations though, I don’t long for the “good old days” before electronic health records and data warehouses when everything was on paper. Despite our selective memory, those systems weren’t secure either. I remember one time when we lost a complete paper chart – during a Medicaid audit. Not pretty. Standard operating procedures required us to fax portions of the chart when a client showed up in a different location.  But then, we had no way to control the copy. Charts were inappropriately but frequently carried in the back seats and trunks of case managers’ cars. We sometimes think that the records were physically more secure when in the Medical Records room.  But the truth is if someone walked into a mental health facility, pulled a gun on the medical records clerk and said “give me these 100 charts”, they would get them. The only saving grace was that the absconded records were probably illegible. The point is that it is just not true that records were more secure back then. What is true though is that if there is a breach in an electronic system, it will likely be a big one. In any system, the best we can do is to make the cost of getting the data higher than the value of the data.Why do people try to steal data to begin with? In the case of the Target and Neiman Marcus breaches, the data was inherently valuable, i.e. credit card numbers. It’s a pretty safe bet that the hackers weren’t trying to determine what kind of Tupperware or Chinos people were buying. Now compare that to medical data and specifically behavioral healthcare data. Is it inherently valuable? No. You can’t take someone’s DSM-IV diagnosis and buy a car with it. The data has value solely because it’s supposed to be secret, because there are potential repercussions of someone having their data made public. We know the bad things have happened to people whose diagnosis was made public. But here’s the problem: the data has value only because we feel the need to keep it secret. If it didn’t matter, it wouldn’t have any value. Put another way, if you knew nothing bad would happen to you if someone found out you were in treatment for a mental health disorder, how worried would you be about its discovery? How closely do you protect people from knowing your astrological sign? Or your favorite color? Or your weight? (Um, maybe that’s not a good example). But you get my point, people don’t protect that which is non-threatening.  If it’s true that the way to protect data is to make the cost of getting the data higher than the value of the data, then we can either make it more expensive to get the data or we can decrease the perceived value of the data itself.I’ve come to believe that we are at a crossroads in this country about this issue, precipitated, in part, by this EHR/Big Data issue. It used to be easy to hide the truth about seeking help for mental health or substance use. Now, the chance of this information becoming public is very real and this, paradoxically, could be a good thing-at least in the long run. As mental health and substance use treatment becomes more mainstream and accepted, disclosure of one’s mental health history will be met with a collective “Who Cares?” The perceived value of the data has just been eliminated.We are just beginning this journey. The transition will be hard but the end result will be worth it. Our challenge now is whether we retreat to the old model of keeping it a secret thereby increasing the value and the likelihood people perceive it as valuable or we try to build a world where mental health or substance use diagnosis is no more threatening (or interesting) than one’s choice of Tupperware or Chinos. – See more at: