Everyday healthcare practitioners record and log sensitive patient information via Electronic Health Records (EHR). The incessant electronic recording of patient data may include valuable information such as Social Security Numbers, mailing addresses, birthdays, and health insurance data. Such personal information “has a higher value on the black market than credit card information” (Elliot 1) because, among other uses, it enables access to medical care, the purchase of prescription drugs or the ability to submit false claims. With such high value, it’s no wonder EHR data is highly susceptible to theft. Indeed, the following analysis reveals how this growing issue impacts EHR vendors and what security measures can be taken to combat theft.
According to Clemens Scott Kruse and his colleagues,
“the privacy of patients and the security of their information is the most imperative barrier to entry when considering the adopting of electronic health records in the healthcare industry” (Kruse, Smith, Vanderlinden, Nealand 1).
Both healthcare organizations and EHR vendors are victim to financial and reputable scrutiny if they fail to meet security requirements and protect patient data. The minimum punishment for any violation of the Health Insurance Portability and Accountability (HIPAA) Act’s three pillars of security including administrative safeguards, physical safeguards, and technical safeguards is $50,000 per violation, with an annual maximum of $1,500,000. Unfortunately, cyber security has historically “been viewed as an IT challenge, is approached reactively, and is not often seen as a solution to protect the patient” (Health Care Industry Cybersecurity Task Force 9).
Cyber criminals are perfecting the art of theft in a growing number of creative ways. It is increasingly difficult to combat invisible criminals with the capability to suddenly breach what was thought to be a secure system. So what security measures can EHR vendors take to shift the approach from reactive to proactive? Furthermore, what role should the U.S. government have in promoting this shift in security tactics?
Under the Obama Administration, the U.S government enacted legislation including HTITECH and MU; both of which defined EHR security measures. If these measures have done little to thwart cybercriminal activity in recent years, should the government play a further role in determining security requirements? According to the Health Care Industry Cybersecurity Task Force, the answer is yes. One Task Force recommendation is to establish a
“Medical Computer Emergency Readiness Team (MedCERT) to coordinate medical device-specific responses to cybersecurity incidents and vulnerability disclosures. The MedCERT would be a trusted entity that is viewed as independent and neutral by all stakeholders and will work to arrive at ‘the ground truth’ of vulnerabilities and proposed mitigations” (Health Care Industry Cybersecurity Task Force 34).
The role the U.S. government ought to play in the future of Health IT security is up for debate. What is not up for debate however is the proactive role EHR vendors must now take. It is no longer acceptable to wait for a security breach to implement change. Indeed, EHR “manufacturers should manage security risks within their product risk management processes including safety risk management, and consider risks throughout the lifecycle (from concept generation through end of life recycling or disposal) and across all levels of the system supply chain. If any one of these lifecycle phases or system levels is left unaddressed, that represents a potential susceptibility to cyber-related risks” (Health Care Industry Cybersecurity Task Force 30).
Additionally, EHR vendors can implement a number of advanced, yet simple, security measures to prevent cyber theft. For example, clinicians, pharmacists, nurses, and other healthcare practitioners access their EHR system through a unique username and password. However, “this widely used, single factor approach to accessing information is particularly prone to cyber-attack as such passwords can be weak, stolen, and are vulnerable to external phishing attacks, malware, and social engineering threats” (Health Care Industry Cybersecurity Task Force 32).To thwart such threats, EHR vendors can promote the use of two-factor authentication measures by leveraging biometrics, such as thumbprint, or wearable technology that enables access to that sole individual.
EHR vendors can also utilize encrypted data, adopt role-based access to limit different levels of the system to employees who need to use that portion of the application,” and transition to web hosted networks where security measures are typically more advanced than on-site servers (Terry 2). It is the responsibility of every EHR vendor to promote the utmost in patient safety which today, extends beyond the periphery of healthcare facilities and clinical software applications EHR vendors provide. Ensuring patient safety is equally synonymous with protecting private information from invisible criminals who steal for their own gain.