Are Electronic Health Records (EHR) vulnerable to hackers? Yes. But are hackers the main source of healthcare data breaches? According to a report just released by IT Security firm Redspin, theft is listed as causing 83% of all large HIPAA privacy and security breaches. Hacking accounted for 6% of breaches.
The report shows a stunning 137.7% increase in the number of patient records breached in 2012-2013 for a total of more than $7 million in 2013. More than 85% of the records breached in 2013 resulted from the 5 largest incidents.
Other interesting stats:
- 29,276,385 patient health records affected by breach since 2009
- 4,029,530 records breached in the single largest incident
- 22.1% of breach incidents in 2013 resulted from unauthorized access
Key take-a-ways from the study:
The transition to Electronic Health Records (EHR)
- The number of hospitals that have adopted EHR tripled in the last four years. Approximately 93% of eligible hospitals and 82% of eligible providers have taken advantage of incentives for implementing and using EHR offered by the EHR Meaningful Use Program.
- The most common cause of healthcare data breaches has been from negligent insiders and the theft or loss of unencrypted portable computing devices (laptops) or digital media containing Patient Health Information (PHI). The growing mobile initiatives including BYOD (Bring Your Own Device) or employer issued mobile devices will likely exacerbate this issue.
How can hospitals reduce risk?
- First by understanding how massively interconnected technology is - EHRs are meant to be shared to improve patient outcomes. But the proliferation of portable devices that store PHI exponentially increases risk.
- Stop using a security “checklist”. EHR security should include a full risk analysis that studies workflow and identifies vulnerabilities.
- Create a repetitive cycle of thorough testing, reports of findings, remediation, and retesting.
Complacency may be at the root of triple-digit breach rise in 2013
- The data breach numbers in 2012 vs. 2013 may be partially attributed to less spotlight in 2013 on high profile PHI breaches.
- Additionally, the report points to the question of why encryption of “data at rest” was not made a mandatory HIPAA requirement, at least on portable devices.
In other stories about Electronic Health Records in the news, Charles Krauthammer had an interesting commentary this month in The Washington Post about EHR Scribes. After first taking on vitamin supplements and Medicaid patient use of emergency rooms, Krauthammer takes aim at the “rigid mandate” that unnecessarily speeded up adoption of EHR, causing a sprawling mess.
“Electronic records will save zillions. That’s why the federal government is forcing doctors to convert to electronic health records (EHR), threatening penalties for those who don’t by the end of 2014. All in the name of digital efficiency, of course. Yet one of the earliest effects of the EHR mandate is to create a whole new category of previously unnecessary health workers. Scribes, as they are called, now trail the doctor, room to room, entering data.
Why? Because the EHR are so absurdly complex, detailed, tiresome and wasteful that if the doctor is to fill them out, he can barely talk to and examine the patient, let alone make eye contact — which is why you go to the doctor in the first place…This is not to say that medical practice should stand still. It is to say that we should be a bit more circumspect about having central planners and their assumptions revolutionize by fiat the delicate ecosystem of American health care, “ said Krauthammer.
It seems that pretty much any healthcare discussion in this country quickly becomes a hot button issue. EHR certainly provokes strong opinions and the debate will continue to unfold as hospitals work to install, manage, and secure EHR, while also learning how to best leverage it to improve patient outcomes.