A computer with health record database software open

Electronic Health Records: Better Patient Care But Open to Hackers

27 Mar 2015 by Desiree Samson

Every written part of our lives is moving toward being digital. We pay with a swipe of a card or a touch on a smartphone. We offer our social security number up to numerous documents. We fill out patient history online — information that is all housed somewhere. Soon, a physical paper trail will be a thing of the past. But what does this mean for data security?

According to Wired, “More than 11 million people may have had their medical records exposed to hackers who breached Premera Blue Cross over a recent eight-month period.” Since the Health Information Technology for Economic and Clinical Health (HITECH) Act — a component of the American Recovery and Reinvestment Act (ARRA) — passed in 2009, healthcare providers have been moving toward the adoption of Electronic Health Records (EHRs). The government is shifting the healthcare industry to the digital age with reimbursement incentives for hospitals and practitioners who comply, as well as penalties for those who do not meet the implementation deadlines — all of which hit this year.

Paper charts are becoming a thing of the past, but what does that mean for healthcare providers working to comply with the law and patients who hope to be protected by it? “With EHRs, information is available whenever and where it is needed,” according to HealthIT.gov. The EHR requirements are meant to streamline and connect how patient information is used — more complete information for more well-informed patient care. But “health care firms have experienced a series of high-profile attacks, exposing client information” and the FBI issued a warning to the healthcare industry that they are a target for hackers. Plus, Premera Blue Cross’s announcement comes on the heels of health insurer Anthem announcing its own security breach that exposed nearly 80 million people — which leaves everyone wondering how data can be secured.

Companies do perform security audits but often they will sign off on the risk if — in their opinion — the cost outweighs that risk. Brian Cea, business development manager, healthcare at Insight, understands that this way of thinking is not an option and that companies need to be more proactive than reactive: “Data breaches are becoming the third thing you can count on behind death and taxes. It is not a matter of if your data will be breached — but when.”

NPR covered how companies are turning to cyber insurance to protect them in the aftermath of a hack. The issue here is that the market for this is relatively new and policies aren’t always as beneficial as they could be. The cost of Target’s data breach “reached $148 million…but its cyber insurance policy paid out only $38 million.” So while cyber insurance may help companies recoup some of their lost revenue, it will not make up for the hurt reputation and the breach of customer privacy, or be as beneficial as having a living security plan. “Not only must you be diligent in your security strategy, but constantly reviewing and updating to minimize risk,” says Cea. As headlines continue to read of hackers and identity theft, companies will not only have to sure up their security but have a plan of action if a hack does occur.