Thursday, February 19, 2009

FISMA & Your Medical Records On Stim

The new so-called Economic Stimulus Bill (American Recovery and Reinvestment Act) slipped the American taxpayer a Mickey when it comes to health care.
The law directs an existing bureaucracy created by President Bush (the “Office of the National Coordinator for Health Information Technology”) to put together a plan for building this system so that it achieves the “utilization of an electronic health record for each person in the United States by 2014.”

In plain English: Over the next five years, the Obama administration intends to create a federally run electronic exchange that includes every American’s “medical history and problems lists.”

Now, before you run out to the nearest federal office and sign up to put the “medical history and problems” lists for yourself, your spouse and your children into the government’s “nationwide health information technology infrastructure,” you should know the law does not require you—as an individual—to do this.

The “explanatory statement” for Division A explains this. “To the extent that this section calls the national coordinator to ensure that every person in the United States have an EHR by 2014, this goal is not intended to require individuals to receive services from providers that have electronic health records and is aimed at having the national coordinator takes steps to help providers adopt electronic health records,” says the explanation. “This provision does not constitute a legal requirement on any patient to have an electronic health record.”

But if the national coordinator cannot make you—an individual—submit your records to the system, how is the poor guy going get “an electronic health record for each person in the United States by 2014”?

This mystery created by 139 pages in Division A is solved by the 77 pages in Division B: The secretary of health and human services is given a carrot and stick to make doctors and hospitals create EHRs for their patients. Doctors and hospitals that make “meaningful use” of EHRs by the deadline get bonus payments from Medicare. Those that do not get diminishing Medicare payments.

What is “meaningful use”? That is at the discretion of the secretary of HHS, but the law says it will include “electronic prescribing,” “the electronic exchange of health information to improve the quality of health care” and submitting information “on such clinical quality measures and such other measures as selected by the secretary.”

Lastly, the law directs the secretary to ratchet up the “meaningful use” test as time goes on. Or as the “explanation” politely puts it: “The secretary would seek to improve the use of electronic health records and health care quality by requiring more stringent measures of meaningful use over time.”

In other words, once the secretary has your medical file in the system, he is supposed to make your doctor do ever more with it at his command.
Now with that in mind, take a look at the overall state of computer security (FISMA) in the Federal Government as of FY2007 (the last data available). The "overall" grade for the Government was a "C" (up from a "C-" last year).

Given how they manage computer security, do we really want to let these guys manage our most personal details? I'm sure they would be much better when they start rationing our health care.


rybolov said...

I hate to tell you this, but the private sector is much worse with security. The only difference is that you don't have any kind of transparency into how your doctor manages the data they have about you.

The FISMA grades were made to generate public outrage at the sad state of security inside the Governmnet because that's the only way you can get the political appointees inside the agencies to care.

I talk about the Government and security incessantly on my blog, check it out.

Nod said...

Hi Guerilla-CISO. What you tell me isn't news; I've spent my career assessing both government and civilian network security, so I know the true state.

I've actually got a lot of pull in my doctor's office, if not complete transparency, so I'll take my chances there.

One of the biggest dangers I see here is aggregating all the data in one place where I know the security will be inadequate.

Thanks for the comment. Cool blog.


Related Posts with Thumbnails