As healthcare goes digital in a world rife with data breaches, how secure are your health records?
The adoption of electronic health records has many benefits for us as patients, but there are also serious potential risks, as hackers look to target our valuable personal information. Here, we look at the security measures in place for protecting that data and ask, are they enough?
The need for electronic health records
They may seem like a fairly recent development to most, but the very first electronic health records (EHRs) were actually developed in the 1960s, with the Mayo Clinic in Rochester, Minn., among the first to use them. However, despite concerted efforts in the late ’80s and ’90s to boost adoption, only 20.8% of office-based physicians were using EHRs by 2004. In fact, it wasn’t until the creation of the ‘Office of the National Coordinator of Health Information Technology’ in the same year that things really started to change, that figure growing to 86.9% by 2015.
There are a number of practical reasons for this increased rate of EHR adoption, but one of the overriding factors was improved awareness of the benefits. The ability to quickly access accurate, up-to-date and complete patient data is of huge benefit to patient outcomes; not only does it aid effective diagnosis and reduce medical errors, but it enables better communication between different healthcare providers, and them and their patients. Of course there are sometimes issues with implementation, but according to a recent national survey of doctors, 88% of providers reported that using EHRs clinically benefited the practice as a whole.
The risks
Unfortunately however, it’s not all good news. The risk of storing all of that information electronically is that it could be accessed by hackers, a very real threat in today’s cybersecurity climate. Even more so given the value of that data; names, birth dates, policy numbers, diagnosis codes and billing information are all things which can be readily utilized for identity theft, to buy and resell medical equipment or drugs, and even to file fraudulent claims with insurers. (CreditCards.com has this advice for consumers to fight medical identity theft.)
No surprise, then, that cybercriminals have turned their attention to what is a profitable, and potentially a soft target. According to Accenture, more than one in four US consumers have already been affected, with half of them suffering medical identity theft and average out-of-pocket costs of $2,500. The Anthem Blue Cross hack of 2015 was perhaps the most high-profile recent case, but there continue to be many smaller but significant breaches—McAfee Labs reported that healthcare accounted for 26% of Q2 2017 security incidents, the most of any sector.
Current security measures
Rightly then, we can ask what is being done to protect our sensitive personal information? The authorities do at least recognize the threat; in 1996 the Health Insurance Portability and Accountability Act (HIPAA) was passed in order to set national security standards, with any personally identifiable data regarded as "protected health information" (PHI). If you store any PHI, you must be HIPAA compliant, and violation of a HIPAA audit can result in steep fines, along with negative impacts on both revenues and reputation.
The number of incidents in the past few years forced the authorities into further action, and in July 2016 the HIPAA Phase 2 Audit Program was announced. These audits check for a range of different safeguards, from physical controls (e.g. locked doors, use of access badges, devices with access to PHI), to technical security measures (password protection, encryption etc.) and administrative checks (contractor compliance, auditing processes).
There is also the EHR certification program CEHRT (Certified EHR Technology) in place, designed to help providers choose an EHR system with confidence; to become certified a system has to demonstrate ‘the necessary capability, functionality and security’, with the storage of confidential data included within that. Recently however, it was announced that the certification program had been altered to facilitate elements of "self-declaration" and "enforcement discretion," in a bid to support efficiency and reduce the burden on users and developers. While this will undoubtedly enable more vendors to achieve certification, could it compromise the quality of some EHR systems?
What more can be done?
It does seem a strange move, especially when the safeguards currently in place seem to be insufficient. A report from the Ponemon Institute last year found that nearly 90% of healthcare organizations had suffered a breach in the previous two years, with many HIPAA-compliant providers, running certified EHR systems, among them. It all points to a fundamental flaw in the industry’s approach; that it is focused solely on securing PHI, rather than protecting the organization as a whole from cyberattacks. The fact is that once a threat actor gets inside a network, they can often gain access to sensitive data, whether or not it is encrypted.
So what more can we do to improve the situation? Well, with many breaches down to human factors, an important first step is to provide more training for staff, which can help reduce the success of phishing emails and similar tactics. Also, hackers often target outdated operating systems such as Windows XP, so providers should upgrade to a supported version as soon as possible. Two-factor authentication can protect against brute-force attacks, while VPNs should be used to secure remote connections.
If a hacker does gain access to the network, let’s limit what they can see once inside. Rather than granting the same access to anyone who might need it, only the PHI that is relevant to a staff member’s role should be available to them. Audit logs, often not even enabled on a provider’s EHR system, can also be used to detect attacks as quickly as possible by installing software that scans them for anomalies. Plus, while HIPAA guidelines do cover the removal of PHI data from mobile devices, even remote wiping procedures can be blocked, so staff shouldn’t store it on them in any form — that includes images and PDFs.
Future challenges—2018 and beyond
Indeed, there are major challenges ahead concerning the dissemination of sensitive information into insecure areas. Take for example the growing popularity of health-related wearables and mobile apps, many of which store that same PHI. Ensuring and checking those apps are compliant is a very complex process, and developers may not even be under the scope of HIPAA if they are not working with an established healthcare provider. Conducting consultations remotely, known as "telemedicine," is becoming widespread too, with network security and new data types such as video recordings key concerns.
Although medical devices (not mentioned under HIPAA by the way) may not store PHI, as they become connected to the Internet they create yet more vulnerable endpoints. There are currently no obligations for manufacturers to include security features in their IoT devices, which almost seems like an open invitation to hackers. And what about the vast amounts of clinical information that AI healthcare systems will require—how will we manage security as more and more organizations request access to that data?
It’s clear that in this rapidly changing environment, we have to completely reassess the way we secure our personal healthcare information. The systems we have in place are not only falling short right now, but seem woefully under-prepared for coming technological advances. It is a hard balance to strike; we mustn’t stifle the innovations that promise to improve our care, but at the same time we cannot compromise something so valuable to us.