Financial information is being included in more electronic health records, and cybercriminals are taking notice. An expert in patient privacy suggests ways to reduce the risks of EHR data breaches.
There is no denying electronic health records (EHRs) are a good idea from a medical perspective. When doctors and other medical personnel can access patient data when they need it, this can increase the likelihood of patients receiving accurate diagnoses and better healthcare.
As to what patient information is available in EHRs, the HealthIT.gov site notes these records typically contain the following:
- Administrative and billing data
- Patient demographics
- Progress notes
- Vital signs
- Medical histories
- Immunization dates
- Radiology images
- Lab and test results
The HealthIT.gov site states who EHRs are built for and why:
"An EHR is more than just a computerized version of a paper chart in a provider's office. It's a digital record that can provide comprehensive health information about patients. EHR systems are built to share information with other health care providers and organizations--such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics--so they contain information from all clinicians involved in a patient's care."
SEE: Identity Theft Protection Policy (Tech Pro Research)
Why are cybercriminals interested in EHRs?
Sadly, medical Personally-Identifiable Information (PII) housed in EHRs is of significant interest to the criminal element as well. "So far this year, the healthcare sector has reported 233 breach incidents to the U.S. Department of Health and Human Services, state attorney generals and media," writes Jessica Davis in an Aug. 4, 2017 article for Healthcare IT News. "More than 3.16 million patient records have been breached."
If that is not enough evidence: "On the black market, the going rate for your social security number is 10 cents," writes Mariya Yao in an April 14, 2017 Forbes column. "Your credit card number is worth 25 cents. But your EHR could be worth hundreds or even thousands of dollars."
It does not take long to realize EHR repositories are like one-stop convenience stores with impressive inventories. EHR information of particular interest is "administrative and billing data." Paul LaBrec, a researcher at 3M Health Information Systems, describes administrative and billing data as information generated for the administration of payment for health services delivered by healthcare providers and facilities. He adds:
"These forms collect patient information such as patient demographics (name, address, birth date, gender and marital status), employment and insurance status, occupational limitations, dates of service, diagnoses and procedures, service provider information and charges for services."
LaBrec states that administrative and billing data may not always be part of an EHR; however, it is becoming more popular to have it included in the EHR, as Mike Miliard explains in a June 26, 2017 Healthcare IT News article. Miliard writes, "A want ad recently appeared on the website of Verona, Wisconsin-based electronic health record colossus Epic Systems Corp. for 'bright, motivated individuals to join our new billing services team as we enter the world of medical billing.'"
Besides stolen financial PII, patients can run into trouble if those who compromise the EHRs are intent on causing physical harm, such as removing any mention of life-threatening allergies from a patient's EHR. Another consideration is that, unlike deactivating stolen credit cards, it is unrealistic to delete or disable a patient's health record.
What steps can healthcare leaders take?
In my 2016 TechRepublic article Why healthcare is a prime target for hackers, and how to treat the problem, several experts suggested solutions involving creating a dedicated security team and improving policies. However, from the evidence above, any solution has seemingly fallen short.
Healthcare IT News reporter Jessica Davis in her article asks Protenus cofounder and President Robert Lord for his thoughts. Protenus is a company that helps monitor patient privacy when using EHRs via big data techniques.
"The healthcare sector will only stop being so vulnerable when the advances in data collection, sharing and analytics are matched with similar advances in our understanding of how to protect patient data," Davis quotes Lord. "Healthcare has invested tens of billions of dollars in deploying systems to leverage data to improve patient outcomes--and appropriately so. But we still have massive problems with the abuse of that data and those systems."
"Healthcare executives, at a fundamental level, should stop thinking about security and privacy as a cost center and more as a strategic pillar of their organization. We've continued to see increased awareness and incremental improvements, but not the needed dramatic leap forward."
Lord suggests the healthcare industry is having growing pains with the introduction of EHRs. The only solution they propose is to match investment by other industries and stop being the low-hanging fruit.
Hopefully public pressure will be a factor as well. Patients suffer most if not all the damage, yet have little or no input into how their medical PII is handled.
- Electronic health records: The new gold standard for cybercriminals (TechRepublic)
- How hackers steal EHR data and sell it on the Dark Web (TechRepublic)
- Why data-driven analysis must inform healthcare IT security decisions (TechRepublic)
- IBM Watson, FDA to use blockchain tech to build secure exchange for health data (TechRepublic)
- 4 vital elements in a robust healthcare IT security strategy (TechRepublic)
- Cybersecurity professionals: The healthcare industry needs you (TechRepublic)
- Medical device 'birth certificates' could solve healthcare security woes (ZDNet)
- Inside the New York hospital hackers took down for 6 weeks (CBS News)