Rush to digitize medical records a bad prescription for security

A recent government audit of seven hospitals found over 150 security vulnerabilities in their online medical records. While there's no question that better communication between health care professionals is a good thing and will ultimately serve to improve patient care and lower costs, the rush to computerize medical records has also had some ugly unintended security consequences. The problem is that the underlying systems themselves are not secure. And while some standards for transmitting personal health information have been enacted, corresponding general security guidelines for the underlying systems on which those transport mechanisms are layered have not been issued.

 

There are lot of mandates and incentives to make sure medical records become available online. By 2015, all healthcare facilities face a deadline set by the U.S. Department of Health and Human Services (HHS) to utilize Electronic Health Records (EHR's). Organizations that don't adopt EHR's face diminishing Medicare payments, among other punitive measures.  Another driving force is that the penalties for data breaches have risen dramatically (and probably will more). The final rules governing HIPAA privacy and security safeguards that were mandated by the HITECH act should be enacted by the end of the year, and will provide more guidance concerning breaches of EHR's. The teeth are already in place, though. One recent violator of HIPAA privacy safeguards was penalized $4.3 million.

 

Further compounding the issue, illicit medical data has become an increasingly attractive target because it normally contains such key personal identifiers as names, dates of birth, Social Security numbers, and of course medical information. These can be used in all the normal methods, but can also be used to submit fake Medicare bills, among other things. Hackers are already coming for this data. One additional avenue of access that is being considered is for patients to be able to request their medical records in the format of their choice, and if that's not available, then the default will be to give them direct electronic access to that information.  It doesn’t take a genius to figure out that will be a favorite and likely lucrative attack target.

 

In the best of times, security is hard to get right. In mandating the adoption of EHR's while increasing the fines for data breaches but without providing proper security guidance, the government has really created a potential disaster for health care providers. It's almost a case of physician, heal thy own network. It’s too bad that an ounce of prevention is worth a pound of cure wasn't baked into this process.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
Showing results for 
Search instead for 
Do you mean 
About the Author


Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation