To prevent EHR breaches, stop using them (Q&A)
8 min read

To prevent EHR breaches, stop using them (Q&A)

To prevent EHR breaches, stop using them (Q&A)

The idea behind electronic health records seems sound: Bring a patient’s paper chart into the Digital Age. But the reality, says Twila Brase, a public-health nurse who is also the president and co-founder of the patient advocacy group Citizens’ Council for Health Freedom, is that EHRs are a disaster for patients and doctors alike—and in more ways than we might suspect.

Brase, whose book on the subject, Big Brother in the Exam Room, was published in July, describes the problem as having brought together seemingly disparate health care threads. Through meticulous research for the book, which includes 1,500 citations, Brase and her Citizens Council for Health Freedom organization concluded that EHRs are causing a data deluge that’s swamping doctors, and leaving patient choice high and dry.

EHRs reduce the ability of doctors to make decisions that they feel are best for the well-being of their patients while decreasing patient privacy, Brase says. And the ostensible EHR goal of making it easier for patients to take their highly sensitive health care data from one doctor to another? It’s little more than a myth.

Twila Brase
Twila Brase

“EHR technology was not allowed to develop on its own, in a way that would work for patients and doctors,” Brase says. “It’s really about data collection, data reporting, data analytics, profiling, predictive analytics, and embedding protocols for practitioners to follow, as opposed to allowing doctors to have a technology that meets the individualization of medical care that’s necessary.”

A 2016 Mayo Clinic study found that EHRs are a major factor in physician burnout rates, and a 2017 Brown University study concluded that the meticulous requirements of EHRs has intruded on how much time doctors get with their patients.

While more commonly discussed dilemmas, such as how best to patch connected devices, and stopping ransomware attacks, form the foundation of some of the hardest problems to solve at the intersection of cybersecurity and medicine, the immense value to hackers of medical records—and the lack of flexibility hospitals and doctors have in dealing with them—can’t be ignored, either.

Medical records, replete with personal data such as home addresses, phone numbers, financial information, and Social Security numbers, are among the most expensive records for sale on the Dark Web.

Not all doctors agree with Brase. A Stanford Medicine poll of 521 primary care physicians from March 2018 found that 63 percent believe that EHRs have improved patient care, and 66 percent are “somewhat satisfied” with the EHRs. However, even the doctors who appreciate EHRs aren’t entirely satisfied with them: Only 8 percent reported that their value was clinical, and 72 percent said EHR interfaces need improvement.

Brase spoke by phone from her office in St. Paul, Minn., on how she believes that the data collected on patients isn’t just unnecessary, but ultimately harmful to healthy outcomes. What follows is an edited transcript of our conversation.

Q: How are electronic health records problematic? The idea of digitizing patient information seems to be fairly reasonable.

The basic foundation, or purpose, of the electronic health record, as it is today, is not to take care of patients.

EHRs are also the primary cause for physician burnout. A study in September 2016 from the Physicians Foundation of a little bit more than 17,000 physicians found that 48 percent of them are thinking of either leaving the profession or drastically reducing their hours, or going into nonclinical care. This is at a time where 10,000 baby boomers are entering Medicare every day. So half of our physicians are thinking about heading for the exits.



READ MORE FROM ‘NO PANACEA FOR MEDICAL CYBERSECURITY’

Why health care cybersecurity is in ‘critical condition’
Triaging modern medicine’s cybersecurity issues
How to recover from a health care data breach
Ransomware attacks against hospitals: A timeline
How weak IoT gadgets can sicken a hospital’s network
Opinion: Who foots the bill for medical IoT security?


The EHR has been found to be a primary cause of burnout because these doctors are not doing what they were trained to do. Dealing with EHRs makes them question why they were willing to sacrifice so much of their lives to become a doctor.

The high costs of the system have also forced many independent doctors to become employees of larger groups, which means that other people are telling them what to do. Beyond the government telling them what to do, and the health plans telling them what to do, now we have the hospital or the health care system telling them what to do or how to practice, including typing protocols into computers.

Even those who have managed to stay outside larger practices are still dealing with the costs of the electronic health record system, the cost of coercion. It’s not only the direct cost of participation, but all the gazillions of indirect costs that nobody were ever even told about.

What purpose do they serve?

Congress mandated the formation and certification and “meaningful use” of electronic health record technology. Not meaningful for the patient or doctor, but rather for the government and others accessing the data.

I call such a record a “government EHR” in the book because there were EHRs before the government-mandated EHR that worked for the doctor and for the patient. So-called meaningful use of the certified electronic health record technology is broken into three approved stages. And practitioners and hospitals that don’t comply are penalized.

The current electronic health record is not just a computerized version of the paper medical record. It’s so much more than that. And it’s all really about data collection. I consider today’s EHRs part of a surveillance system inside the exam room that has made doctors into data clerks. They’re helping create a comprehensive dossier on individuals.

That sounds far more invasive than people might expect. How much personal data does the EHR include?

There’s a section in the book in which I talk about where Judy Faulkner, founder and CEO of Epic Systems, which makes EHR software, wants the EHR to go. She wants it to become a comprehensive health record. She said at an Epic company meeting that EHRs should include who you are, what you eat, how much you sleep, and what your social conditions are like because these factors affect health.

She wants to put social media in there. EHR companies want people to add information about themselves through the patient portals. And it’s all really this great data-collecting mechanism. And a lot of patients just don’t even understand that that’s what’s being created here, as a part of something called population health management and analytics.

I’m reminded of a report from a few years ago, in which a doctor complained that his patient showed up with pages of self-collected health data, none of which the doctor said was useful in diagnosing or treating the patient. You’re saying the modern EHR is like that?

Right. Or it’s difficult to find the information that is germane. I know I had a clinic just print me off what my EHR said from that one visit. And it was basically four pages listing conditions that I didn’t have. Where’s the part that says what I actually have, or what you’re supposed to do or whatever? It was amazing to me.

One physician told me that when he’s going into surgery for a patient, he has given up looking for the nurses’ notes because they’re just too difficult to find.

Another doctor said that when he went to medical school in Puerto Rico, they had carbon copy electronic health records. Electronic medical records, carbon copy, and full of junk. And people there need to come with their own record because it’s just too difficult for doctors to find whatever is important in the official medical record.

And there’s this one doctor who talks about how, somewhere buried in a record, is the fact that the patient’s condition has changed. But because there’s been so much data copied and pasted, the fact that the patient’s condition had significantly changed might be missed. That piece of information was critical but incredibly hard to see.

Beyond cluttered, extraneous data, what are the other drawbacks to the modern EHR?

You don’t actually always want an EHR because sometimes, what you’re looking for is a fresh second opinion. And the way that everything is moving, you won’t be able to get that fresh second opinion because a new doctor will be looking at other doctors’ diagnoses.

So, what value does the EHR have?

There certainly are electronic health records that work for the patient and the doctor, but that’s not what we’re dealing with today. If patients gain the authority to say who gets access to their data, that would be one thing. But under the Health Insurance Portability and Accountability Act, we don’t have that authority.

So the fact that everybody is striving for interoperability between EHR systems, which one person has labeled a $30 billion unicorn, just ignores that the only thing that’s protecting people from having their privacy completely intruded upon—and all of these outside entities being able to use them for all these other purposes to which they have not agreed—is the fact that we don’t have interoperability. Yet.

So, 64 percent of Americans have some record in the Epic system. Which means Epic has all of their data, and some portion of data on a huge percent of the American population. Those patients have no control.

I spoke with one woman whose data was shared from a clinic that she never visited! Most people think HIPAA protects their privacy, but HIPAA does the absolute opposite.

Minnesota has a strong privacy law, and big business wants to get rid of it. As long as there’s a stronger privacy law, that’s what has to be followed, so the permissiveness of HIPAA can’t happen in the state of Minnesota, except in certain instances where the law still doesn’t have consent requirements. But Minnesota law has consent requirements in eight places where HIPAA doesn’t have it, including health care operations.

The purpose of the government EHR is not patient care. And that’s the thing that has to be understood. The doctors who created their own system for patient health records, or worked with a company to create one—their purpose was patient care, so it worked for them. But the purpose of the government EHR is to create a national health data system that’s standardized and that works for the data collection and data-profiling and data analytics purposes that are outside the patient-doctor relationship.

What do you think should be done to reform the EHR?

Congress could get rid of the mandate and the “meaningful use” mandate. That would take all the pressure off of having a bad system, and having a system that’s doing things that don’t work for the patient and the doctor.

The Illinois Pain Institute’s 70 doctors and staff voted unanimously two or three years ago to get rid of their electronic health record system, and they’re back to paper. So that’s the sort of thing that can happen. [Health care organizations face increasingly stiff financial penalties for not using an EHR system.]

Your solution is to just scrap it? Start over?

It doesn’t have to be what it is, and that’s probably one of the biggest things that our organization wants people to know: The price of today doesn’t have to be the price of tomorrow.

We’re working toward that end, because we really want it to be affordable, and it can be affordable. And we want it to be patient-friendly, and it can be patient-friendly. And we want it to be confidential, and that’s what it’s always been in a patient-doctor relationship.

So the patient should trust the doctor and be able to weigh whatever is said, and know it won’t go anywhere. Today, patients can’t do that.

Enjoying these posts? Subscribe for more