There may be no turning back in the nationwide drive toward implementation of EHR systems, but security risks are also riding the upward trajectory of that technology megatrend. According to Lynda Martel, director of privacy compliance communications at DriveSavers, the presence of an EHR in a care setting dramatically increases the risk of a data breach.
“Not all organizations entrusted with protected health information [PHI] are putting the security protocols in place to ensure the confidentiality and integrity of PHI content,” said Martel. “If healthcare organizations ignore the security vulnerabilities in their healthcare environment, both internally and externally, costly data breaches may be the result.”
Martel outlined five security vulnerabilities that could mean trouble.
1. Theft. Lost or stolen media has been the cause of some of the most significant breaches this past year, said Martel, and typically, this has included a lost backup tape or stolen laptop. "Recent studies in a PwC survey indicated that theft accounted for 66 percent of reported health data breaches in the past two years," said Martel. In addition, a recent incident at Sutter Health in Sacramento, Calif., shed light on how prevalent theft is becoming. "Medical information of more than four million patients…was stolen by the simple act of breaking a window with a rock and stealing a desktop computer," she said.
2. Mobile devices. "As the size and price of portable electronic communication devices continue to decrease, many healthcare staff have access to PHI using mobile devices," said Martel. This can include PDAs, iPads, flash memory cards, and more. These devices don't have the same level of security controls as computer systems, Martel added. "Between September 22, 2009, and May 8, 2011, mobile devices were responsible for 116 breaches, exposing PHI of more than 1.9 million patients," she noted.
3. Dissemination of data. Many breaches taking place in the healthcare space tend to happen during the dissemination of data between professionals and third parties, said Martel. This includes the use of technologies with weak controls, like FTP sites, which, she said, lack security, tracking and auditing capabilities of sFTP to ensure the protection of health information. "Organizations involved in the transmission of data must invest in technology and processes that protect the data in transit and at rest, while providing the ability to manage and audit data transfers between business partners, service providers and customers," she explained. Martel also recommends vetting service providers and ensuring third-party associates are HIPAA-compliant.
4. Outsourcing to business associates or third-party vendors. "Outsourcing has grown exponentially over the past 15 years and is common within the healthcare industry," said Martel. Business associates, suppliers, vendors and partners should follow national regulations -- such as HIPAA compliance -- for securing PHI as healthcare providers, she said. "Yet, only 36 percent of health organizations perform a pre-contract assessment of their business associates, and only about 25 percent conduct post-contract compliance assessments," she said.
5. The cloud. The popularity of cloud computing, Martel said, is due to the cost efficiencies of outsourcing both the storage and the security compliance requirements. "The net result of employing cloud computing services for the maintenance of PHI adds another layer of potential breach exposure to a healthcare organization," she said. "Ultimately, the consumer of the cloud services retains full legal responsibility for compliance with any applicable statutes and regulations."