I have taken Missouri to task on many occasions, in writing and in speeches / presentations, for their lack of ability to approve a PDMP (prescription drug monitoring program). While every other state in the U.S. has at least legislatively approved their own PDMP, with many fully operational systems, Missouri continues each year to propose it and vote it down. The PDMP Center of Excellence, sponsored by Brandeis University, has been my go-to resource for program statuses, best practices and latest trends for almost three years when I first met their leader at a WCRI conference. As they say, a picture is a thousand words, and this one is worth a million …
In addition to that graphical list, and going a step further, following are a list of states that currently require prescribers to access their state’s PDMP:
- New York
- New Jersey
- Rhode Island
- And at least 11 other states that are considering it …
In their latest venture, the Missouri Senate approved a PDMP in April by a 24-10 vote on SB 63 (“Narcotics Control Act”). However, it looks like HR 130 had an initial hearing on April 15 but no further activity since then. The Missouri PDMP Now Coalition is one of many advocates for a PDMP and they’re not claiming victory. With the legislative session over, unless I’m missing something, it appears another year will pass without a PDMP in Missouri.
From what I understand, the hang-up has been data security. Given that PDMPs include many very personal data elements (patient demographics, what drugs are being taken at what dosages and frequency, the prescriber and pharmacist involved, and a way to reverse-engineer diseases and conditions), it is highly sensitive data. I have historically addressed that concern by saying the benefits from the transparency of a PDMP in offering better clinical decisions overrule the potential risks of that sensitive data getting into the wrong hands. In fact, I’m a huge believer in the value of PDMPs and believe it should be an expectation for every prescriber to conduct a search as part of their due diligence prior to writing the script.
However, with the increasing number of data breaches happening in private industry and government, I’m beginning to better understand the point of PDMP opponents.
Chew on this … at least 21.5 million people who either work for the federal government or applied for government clearance had their social security numbers, health histories and other sensitive data stolen. The original number admitted by the Office of Personnel Management was 4.2 million (bad enough), but then they admitted that a second breach increased the total to more than 21 million. That’s approximately 6% of the entire U.S. population whose data has been compromised. While the perpetrator has not been 100% confirmed, theories are that China may be behind it (after it is believed Russia hacked IRS files). We certainly know there is electronic warfare happening on a daily basis around the world (spies in the 21st century). And entities like Wikileaks that are constantly searching for whistle blowers and backdoor access to interesting and/or embarrassing information.
That’s in addition to the data breach at Target in 2013 that spooked thousands of their customers during the Christmas shopping season. And just within the past few days the publishing of Ashley Madison’s database of people seeking extramarital dalliances. According to IBM’s tenth annual Cost of Data Breach Study, “the average consolidated total cost of a data breach is $3.8 million representing a 23% increase since 2013”. Cyber security is a huge industry, and in large part a cat-and-mouse game in areas of technology and “the cloud” that most people don’t understand. There’s even a website, www.databreachtoday.com, dedicated to the issue.
According to the Forbes 1/13/15 article “The Big Data Breaches of 2014“, the following companies were hacked in 2014 …
- Neiman Marcus – 350,000 customers
- White Lodging – 168 hotels in 21 states
- Sally Beauty – 280,000 debit/credit cards
- Michaels – 2.6M debit/credit cards
- Affinity Gaming – Non-gaming purchases at 11 casinos
- New York State – 22.8M private records over 8 years were exposed
- PF Changs – 33 restaurants in 16 states
- Albertsons & SuperValu – 700 and 228 stores, respectively
- Community Health Systems – 4.5M patients
- UPS – 51 stores
- Dairy Queen – 395 locations, 600,000 debit/credit cards
- Goodwill – 330 locations, 868,000 debit/credit cards
- Home Depot – 56M debit/credit cards, 53M e-Mail addresses
- Jimmy John’s – 216 stores
- JP Morgan Chase – 76M households, 7M small businesses
- Sourcebooks – 5,204 customers
- Staples – 119 stores, 1.16M debit/credit cards
- Bebe – 175 retail stores, 35 outlet locations
- Sony – 47,000 social security numbers
So … My question … How secure is the PDMP data in the 49 states that have one? Given frequent budget shortfalls (California almost mothballed CURES a couple of years ago), has the proper infrastructure been created and protective mechanisms implemented to keep the data secure? Is the data and user account info encrypted? Rather than an intensive electronic attack, could a simple user password left unsecured be the method of access? Is there constant virus and malware detection being done (especially important for ransomware attacks)?
In other words, is a PDMP a data breach just waiting to happen? And, if a data breach does happen, does that somewhat justify Missouri’s concerns? I’ve noticed that central to Missouri’s discussion of a PDMP is data security, which is obviously to help appease opponents but also is a good discussion to have. A PDMP database would certainly be a treasure trove of valuable information to people with bad intentions …
If you’re still reading at this point, and you are involved in managing a state PDMP, I would be very interested to know how you secure the data and how confident you are that it cannot be breached. There may be a “flyover state” that is interested in your answers.