Articles In This Issue
Let Us Help You
Have you had a data breach?
If you have any questions about our resources or any topics related to Experian Data Breach Resolution, please contact us at firstname.lastname@example.org or call 1 866 751 1323.
All New Mobile App
Have the tools you need to handle a data breach at your fingertips.
Greater Connectivity of Electronic Health Records: Greater Risk?
The Department of Health and Human Services (HHS) is forging ahead with its recommendations and requirements for electronic health records (EHR). In February, HHS opened up its proposed Stage 2 of the Centers for Medicare & Medicaid Services (CMS) incentive program for comment.
Stage 1, which is still ongoing, laid the groundwork for switching from paper records to EHR. Now, despite a 97% increase in breached healthcare records from 2010 to 20111, Stage 2 is emphasizing the connectivity of EHR from organization to organization as well as between organizations and patients.
Will increased sharing and movement of EHR mean an increased risk for security breaches? The dramatic upswing in breaches during the switch to EHR suggests this may be the case.
One of the primary concerns over increased file sharing is the creation of more access points for the highly sensitive data that healthcare entities manage. Digital data can have multiple access points since it doesn’t have to be in one place at a time, as a physical document does. And no one person can monitor or control all of the access points once data gets forwarded, downloaded, uploaded or transferred.
A primary care doctor originating a patient’s EHR, for example, may keep the data encrypted and restrict office-wide access to it. However, once the EHR is transferred to a specialist, it has a new access point and is subject to the security standards of that office while still being accessible in the originating office. The same is true each time the EHR is shared, so the risk of a breach continues to magnify with every transfer.
Under Stage 2, EHR will be more readily available to doctors, specialists and hospitals. But it will also be more readily available to hackers and ill-intentioned employees too – all at a time when attacks and data loss have reached staggering proportions.
Plus, healthcare entities are switching to portable devices to manage their EHR. It only stands to reason that the more portable devices storing or accessing sensitive data, the greater the chance of a lost or stolen device leading to a breach. Portable devices are easy to swipe, but even desktop computers aren’t safe from theft. In 2011, a stolen desktop led to a medical data breach of four million records.
- Portable devices are now being used in 80% of healthcare organizations2
- According to HHS, stolen physical devices account for 71% of breached healthcare records
- The volume of breached medical records resulting from an employee losing an unencrypted device jumped 525% in 20113
With portable devices becoming more popular and data moving between more places, theft is likely to become easier and more commonplace. CMS recommends defaulting to encryption to keep data safe – a must as sensitive medical data becomes more and more mobile.
To help protect your patients and company, you should also:
- Ensure the proper security measures are in place before moving on to the next step of adopting and using EHR
- Have a data breach response plan in place to address various types of breaches
- Conduct routine HIPAA security risk analyses and address any weaknesses
While the ease of transfer of EHR may one day be a convenience and benefit to patients, it could also be a hazard. And it will continue to be a burden on healthcare entities, especially ones that cannot protect data privacy.
With some predicting that medical data breaches are going to get worse before they get better, be prepared. Don’t lag behind security standards and don’t move forward with EHR unless you can do so securely.
1 Breach Report: Protected Health Information, Redspin, Inc. (2011)
2 Breach Report: Protected Health Information, Redspin, Inc. (2011)
3 Breach Report: Protected Health Information, Redspin, Inc. (2011)