Monday, June 25, 2012

HACKED in HIT: Does your HCO have an EMR / EHR security plan?

Our blog has moved. You will find this blog post and fresh content on our new Talascend IT blog.

Does your HCO have a EMR security plan?
A couple of weeks ago we talked about your social media network getting hacked. While potentially embarrassing to those hacked and a slight risk to other accounts on your network, it is a problem easily remedied in the grand scheme of things.

What happens when an entire HCO is hacked and EMR / EHR information is compromised?

Patient records, dating back perhaps to prenatal checkups for mom, to that surgery 10 years ago, to a suspicious lump that was successfully removed, are at risk. And once they’re out there in cyberspace, how can they affect the rest of a person’s life?

In all likelihood, people after the information are looking to snatch your identity. For the longest time, medical records have been linked to social security and driver’s license numbers not only for ID purposes but for billing purposes as well. When a criminal makes off with a couple million of those numbers, there is bound to be at least a few prime names and numbers to target.

I am making a big leap here but, in this age of social media and cloud computing, what if your medical records were compromised and made available online to background check services without your knowledge?

Might an internet search bring up a health record file stating that you are being treated for severe depression, causing your renowned career as a motivational speaker to come to an abrupt end? A more plausible scenario: Could a past positive malignancy test keep you from getting a job, even though you’re one of the top two candidates, because you may cost your potential employer group a higher health insurance premium than the candidate without such a medical past?   

A study performed last year reported that upwards of 51% HCO’s and private practices intended to apply for Meaningful Use dollars during the first year, yet only 11% of them had the EHR systems in place to be able to meet 10 of the 15 Stage One requirements. Wouldn’t make sense that many of these same physicians intending to implement EHR systems might not be completely locked -down security-wise as well?

One thing is certain, healthcare providers are going mobile. Laptops, smart phones and tablets make up 40 % of the healthcare data breaches, but only 50% of the respondents to a recent HIT survey said that anything was being done to protect the data on their mobile units.

With cloud computing replacing SaaS and proprietary systems, new tablets coming out seemingly overnight, and limited quality mobile device protection it’s a daunting task for any HIT professional to stay ahead of the game. In addition, although I suspect many would like to, the heads of HIT security can’t staple a tablet to the practitioner’s hand to avoid leaving it at the cafĂ© table.  Even with security measures in place, most healthcare professionals are not practicing any form of security best practices.

Since 2009, there have been nearly 400 major EMR and EHR security breaches  affecting nearly 20 million people, or, about 6.5% of the US population. Chances are, the numbers are similar all over the world. 

The result? Several lawsuits have arisen out of these breaches in security. Special security breach insurance policies are available now and they are selling, meaning healthcare cost are going to rise even further. The public image of institutions, much like that of a hacked social media user, is tarnish at the time of the incident and beyond.

So what can HIT departments do to minimize risk?:

  • Get a security plan in place. Many of the largest data breaches occurred at institutions with inadequate or no security plan in place
  • Learn the cloud and all the intricacies of its communication with your staff’s mobile devices.
  • Standardize equipment. If everyone has the same devices, it is much easier to stay ahead of the game and update security software.
  • Bolster security training and make it mandatory.
  • Use encryption tools to keep data protected.
  • Have a social media policy in place  covering practitioner conduct to protect patient information.
  • And most importantly, explain to staff why it is important to the HCO, the professional and the patient (customer) to adhere to your security plan.

It’s one thing for your social media account to get hacked. When personal health information is hacked, a breach has the potential to evoke a different level of embarrassment for HCO’s and patients.

Does your institution have a data breach or security action plan in place? Have you had any security training on your mobile devices? I invite HIT and practitioners alike to share your stories with us.