What the Philippines Needs in Healthcare Data Security

We normally publish informative pieces on medicine in the digital age or news about app updates here. But to shake things up, I’ve decided to write about something I realized during a recent visit to Cebu. Consider this an opinion piece with a little story thrown in.

The Story

We were invited to Cebu by a couple doctors who had experienced some trouble with their existing EMR (let’s just call it Hybrid for now). These troubles caused them to sign up with SeriousMD.

Now they needed help. The doctors mentioned that they’d been having trouble getting support from Hybrid’s company. Among other things, it was painfully hard to get their data exported.

After talking with them, we realized these things:

  • They personally knew that they wanted to move away from the Hybrid EMR software for some time already but they just couldn’t because they’d built up years and years of patient data into their database.
  • They thought it was going to be almost impossible to find a way to move their data.
  • They had no real concept of how secure (or not secure) their data was in the EHR.
  • They didn’t have time to just pause, sit down and think about how to deal with it.

I eventually found out that it was the same situation for many doctors over there. That amounts to dozens, perhaps even hundreds of doctors in that area ready to make the leap into the digital age but unable to.

All because they had started out with the wrong EHR for them.

The irony of it too is that they’d already covered the hard part. In other words, they’d converted most of their paper files to digital ones.

Yet those digital files weren’t properly “theirs”, were they? After all, they couldn’t even export them from the Hybrid EHR when they wanted. At the same time, given the lax security of that same EHR, the said files weren’t truly protected from third parties.

So who, really, was in control of all this data?

My Gripe

I’ve had a nagging thought in my mind for a while. That visit to Cebu really just reinforced my suspicion.

You see, I’ve been going around the Philippines and I’ve probably personally visited over 500 doctors/clinics already. And what’s the situation?

  • Doctors use insecure Android apps on their phones,
  • some use free apps that some dude uploaded on the Internet that is just spyware,
  • some use shared patient lists with other doctors who shouldn’t really be privy to that data,
  • some use freelancers’ software without data security features and, believe it or not,
  • many even use MS Word and Excel software (sometimes pirated copies) that’s most likely infected with some sort of malware.

I was even shown software for a hospital that didn’t have an iota of security. Even a 6-year-old kid could transfer actual readable data into a USB stick.

Many don’t even have backups for their data. I literally just received an email now while I’m writing this, this time from a new doctor who signed up for our app. She told me about her experience with a local developer who created some EMR software.

Here’s her experience in a nutshell: things started out peachy. But then the developer couldn’t be contacted anymore. Then her hard disk crashed on her. And now? Now the data can’t be retrieved.

Again I have to ask: who was really in control of the data there?

When going the digital route, data security will always be an issue. It should be. We regularly get objections or comments about data privacy/security and I’m totally fine with it. We’re happy to answer questions about security because it’s perfectly normal to be concerned.

We want our users to know that we take the topic seriously. But here’s the sad truth: a lot of people still don’t take it as seriously as they should. Or, if they do, don’t quite grasp how digital security works yet.

What We Need

We need some things badly if we’re to discuss the security question in healthcare data intelligently. Among other things, we need smart regulation. We need standards.

In other countries, they’ve tried to implement security standards. We’ve talked about HIPAA before, for example. Governments and other key stakeholders should step up and work towards creating a set of rules for treating healthcare data with the respect its owners are due.

Education is another important requirement. Too few medical professionals understand what data security means in software. Shamefully, too few program developers are willing to devote resources to it as well.

Does security really matter here? Definitely. It’s not just about respecting your patients’ right to privacy either. It affects even your bottom line.

Ponemon Institute data on healthcare data breach costs

Then there’s this: I’ve learned that no introduction/training is offered in medical schools for basic software, so many turn out to be scared with technology until forced to face it during their time practicing outside the country or by the consultant they are working with.

That’s a lot of missed educational opportunities for something (digital tech) that has every appearance of being a big part of medicine’s future.

With proper information would come more intelligent consumer demand and selection. The more doctors who understand what to look for in an EHR in the Philippines, the more doctors who choose programs that fit their needs. They’ll be less likely to end up in the situation I mentioned at the beginning of this post: that of being stuck with software they don’t really like or can’t really trust.

Back to Cebu

Going back to the story, we landed in Cebu, took an uber and got stuck in traffic for 2 hours on the way over to the clinic.

Once we arrived, we were shown the computer. It was our first look at the software. Then we basically got years of data in 3 minutes. 😓 

The doctors had thought it impossible to export their data easily from the Hybrid EHR. The truth? It wasn’t impossible.

It just seemed like it because of unhelpful user design (there was no button or tool showing them how to do it) and poor customer support (they had asked the other company to help them do it, but it took 3 weeks and was incomplete when Support finally deigned to assist).

But for anyone with time to tinker about a little with the software or with a good bit of techno-savvy? Piece of cake. And not in a good way.

There were hardly any security mechanisms protecting their data. We took it so easily that they were shocked. We had to admit we were a little alarmed too.

Anyway, the data was then imported to the doctor’s SeriousMD account and there, it was finally secured and usable with their own accounts. And finally under (their) control.

Now think about this for a moment. This is the type of software being used in many clinics, yet it was considered secure simply because this style of software stores data on a computer.

But computers aren’t intrinsically secure machines by themselves.

The Cebu doctors were horrified when they saw how easily we took the data from the program. It wasn’t hard to imagine myriad hypothetical scenarios where other third parties did it too. Anybody could have gone there, started reading the patient details directly from the database or just taken the whole thing. Technically, it’s just as secure as an old (and unlocked) file cabinet.

Where’s the “data privacy” there?


I am by no means saying that everything we do is perfect.

In fact, we have a bug now that stops you from creating one type of note. We’ve fixed it and we’re just waiting for Apple to finish reviewing it.

What I’m trying to get at with this post is that when using and recording digital data, the software is not always the same quality and that definitely includes the level of security.

Please don’t assume all EMR software will be secure. Don’t assume either that ads for a particular EHR are telling the truth if they claim it’s secure. Find out exactly how it manages to be secure.

Look for things like data encryption and backup. Look for the things that protect you from third-party intrusions and data crashes.

Look for software that empowers you.

An EHR should put control of your data at your fingertips, yet free you from fears of data theft or loss by providing security measures and fail-safe mechanisms. Look for developers who are totally invested in their product and willing to answer all questions you might have for them regarding security.

Ask us questions if you need answers! We’re committed to your data’s security too. Whether you do choose to use SeriousMD or something else, never settle for less than that… both for your patients’ sake and your own.