As EHR adoption becomes more prevalent, there is a growing sense of concern regarding the security of the information stored in servers both in medical offices as well as remotely in the cloud or in server banks. Can the data be securely stored and protected? This concern is well described by an EHR member who writes:
“There is no choice in accepting EHR. If banks, The Federal Government, The Military can not keep their information safe from hackers, why do you think Private Medical information will be shielded from this invasion of privacy? It is already a problem, in that when the insurance company gets medical codes for payment, all that information becomes public. Are we leaping into the technical future before we are really ready?”
In the last few weeks, a number of international hacking incidents have received national media attention. If smart people really want to get into your EHR system, they will probably find a way to do so. However, it is not without effort and there is a difference between the nuisance hacker and someone who wants to get into a database because there is inherent value, e.g. credit card information. As noted above, there is not much choice in accepting EHRs as the record keeping system of the future. So, why would someone want to get into an EHR and what can you do to protect yourself? (A recent post on AmericanEHR described the difference between Privacy, Security and Confidentiality.)
The majority of breaches will occur as a result of poor security practices within your physical office. Do you have a password management policy that requires users to change their passwords at set intervals? Are there any sticky notes with user IDs and passwords publicly displayed for all to see (including visitors and the cleaning staff)? Unfortunately because of the effort in managing passwords, common passwords are frequently used by multiple individuals within a practice or emergency department because it speeds up access to critical information. This is a dangerous practice, as it is not possible to trace inappropriate access back to a specific individual. In addition, if there is a security breach linked to a specific username and password, the original owner will be held responsible because it is not possible to trace others who might have used the access credentials. Ensure that all of your staff understand the clinic or organizational security policies and that they have signed a confidentiality agreement. Remember that a privacy breach can occur as a result of an authorized individual inappropriately accessing specific information.
What do you have of value that would encourage someone to hack into your EHR system? Do you store credit card information for any of the services provided to patients? Do you care for a celebrities or VIPs whose healthcare information could create public embarrassment or have value to unscrupulous individuals who may publish the data publicly? If you do store information of a highly sensitive nature, you have a heightened level of responsibility to ensure that your in-office security practices meet with all legislation, policies, and guidelines. As the recent international high profile breaches demonstrate, it is very difficult to provide 100% protection for any digitally stored information; however, through good practices, you can significantly decrease the risk.
For any of these reasons, individuals may attempt to access your EHR system. But the reward probably needs to be significant in order for someone to make the effort and take the risk.