SWEENY — More and more medical technology innovations means more ways to record and store patient information on various devices. Computers can be vulnerable to hacking and servers have to be locked up tight. When old equipment and computers are ready to be disposed of, they also risk having data breached.
Once patient privacy is in the hands of someone else, mistakes can, and sometimes do, happen. That’s why property or asset managers are key players when it comes to keeping information secure and making sure HIPAA regulations aren’t violated if equipment is sold, traded or salvaged. Stuart Butler plays that role at Sweeny Community Hospital and says patient privacy can be breached easily if hospital staff doesn’t have proper training.
“For example, the copier. If you send print jobs, it keeps a copy as a record so we have special software that erases it every so often,” Butler said. “A button is hit and completely wipes the hard drive so no data is left on it. ...The government standard is it rewrites over it seven times.”
Imagine the hackers seen in movies and on TV furiously typing away zeros and ones to cover their tracks. That’s basically what Butler’s describing, except it’s a computer program doing the rewriting instead of a human being. But the security of patient medical files goes beyond that — physical security poses challenges too.
In Texas, hospitals are required to keep patient records for 10 years from the last date of treatment for adults. For minors, they are required to keep records for 10 years from the last date of treatment or until they turn 20, whichever date is later. For a small hospital that saw 30,732 total patient encounters for fiscal year 2018 alone, that means hundreds of thousands of records being kept over a long period of time, all of which are stored on servers.
For Sweeny Community Hospital, they keep their server room separate all together, Butler said, at an undisclosed location outside of Texas. The location is not being disclosed to protect the security of patient records.
“We certainly don't want to give anyone clues to anything,” hospital CEO Scott Briner said.
Information can be mistakenly shared, too. The hospital’s biggest medical file security risk, Butler said, is when staff has to create physical copies of electronic records, something that is needed often.
“If it prints to the wrong printer, for example. That’s low-tech but that's the reality,” Butler said. “Or our medical records form that needs to be filled out and signed before we send it off. In most cases, that paper goes back and forth on a machine before it’s faxed.”
If someone faxes records to the wrong machine, that patient’s record goes to whoever the machine belongs to. In that case, Butler would investigate to find out where the record went, why it happened and look at what they could do better to prevent it from happening again.
“Patients don't realize how hard we work to protect their data,” Butler said. “They get mad and say they don't want to sign a paper to get their own information but that protects them.”
To help reduce risks posed by paper copies of records, patients who check into Sweeny Community Hospital now have to use an iPad. While it may not sound secure to some, Butler said risks are reduced because patient information is immediately sent to their servers and wiped from the iPad.
For tech that stores patient information on the machines themselves, Butler said those are less of an area of concern than servers and physical security. Glucometers are one of the machines the hospital uses that can record patient information but it only stores the information in the form of a patient number. When hospital staff send that number to the server, the server can connect it to a specific patient but without the server, the number is useless.
Sweeny Community Hospital tries to encourage employees to report breaches of security or anything that could pose a security risk, Briner said.
“It’s really kind of about controlling the culture of compliance,” Briner said. “There’s risk to all components that go into policy procedure so we’re creating a culture that is proactive about breaches.”
While security seems to be pretty tight at Sweeny Community Hospital, it may not be at other hospitals. Gary Quinn is a retired asset manager from Austin and formerly worked for UT Southwestern Medical Center where he regularly acquired new equipment and traded, destroyed or sold old equipment. In his years of experience as an asset manager, he encountered more than once instances of accidental but serious patient file security breaches at other hospitals.
“They’ve all had that where a doctor lost his laptop at the airport and they don’t think about it because they don’t think, ‘gee, it could have someone’s personal info on it’. But guys like me, we think about that lot,” Quinn said. “Because it’s only $225 for them but it could cost us $400,000 to remediate damage on it.”
By law, if a computer or other device with patient information stored on it is lost or accidentally sold without the information being removed, they are required by law to contact every person whose information was or might have been on the device or computer, according to Quinn. Unfortunately, hospitals and medical research centers losing equipment is common, Quinn said.
“Step one is you hold people accountable and you don’t let them get away with things like that,” Quinn said. “You’d be surprised with how many businesses lose equipment and don’t do anything about it. If you lose it and have to pay for it, word gets around pretty quick and then people don’t lose it.”
Salvaging or trading medical equipment is another messy area. In order to purchase used medical equipment, someone has to have a medical salvage license. But according to the Texas Department of State Health Services, little is required to obtain the license.
“Pretty much anybody,” SHS compliance officer Jonnetta Wheaton said when asked who qualifies for the license. “Basically, they fill out the three-page application. We want to know what the address is of the place from which devices will be distributed, who is in charge, what is the leadership or corporate structure, etc.”
Salvage companies can be a helpful tool to the medical community, especially to underserved hospitals that often can’t afford brand-new medical equipment. But just like hospitals and medical centers, they have room for human error and sometimes don’t check equipment coming in and out of the business to make sure records were wiped.
“We’ve gotten things that have not had data wiped off of it,” said Dana Smith, president and CEO of KMA Remarketing Corporation, a company based in DuBois, Pennsylvania that purchases, sells, services, appraises and liquidates pre-owned medical equipment. “Like with anything, humans are imperfect by nature of the simple fact we are human.”
Reselling and refurbishing equipment can have global benefits, too, Smith said. For example, sometimes equipment is sold to non-profits who take the equipment to needy countries, like parts of Africa, to reach underserved populations. But many times, this exchange has to be done through third-party companies or individuals like KMA Remarketing Corporation.
“Other people are just downright crooks trying to hoodwink people to get a one-up,” Smith said. “And some people make mistakes, get in over their head and don’t have the knowledge to do what they do.”
When it comes to working with these third parties, there are ways to tell if the company is reputable or not. Having an asset manager or a whole team of asset managers is one. There are also a number of additional certifications companies can get to prove their knowledge of HIPAA and of the medical technology industry in general, Smith said.
CHI St. Luke’s Health Brazosport Hospital currently doesn’t have a securities expert at that location but are working on hiring one, CEO Al Guevara said. The hospital declined to comment further on the subject.