Electronic health record (EHR), a digital version of a patient’s medical record often contains details about a patient’s demographics, insurance information, mailing address, Social Security number (SSN), birth date, and notes from prescribing doctor. Though EHR documentation helps providers as well as medical coding companies with better patient data management by enabling quick access to patient records, data security needs to be paid attention to. Other than medical records, these electronic data may also contain billing information such as credit card details and invoices. With EHRs containing Personally Identifiable Information (PII) like SSNs that does not expire, cybercriminals are now targeting this software as well as the vendors.
Attacking cloud-based EHR software vendors allow cybercriminals access to multiple client databases in a single operation. For instance, date of birth, medical insurance ID, and a Social Security number can be combined to acquire medical insurance. According to a report published in Healthcare IT News, more than 3.16 million patient records have been breached so far in 2017.
Healthcare firms are mandated to adopt the use of EHR systems to improve health care by The Health Information Technology for Economic and Clinical Health (HITECH) Act, under the American Recovery and Reinvestment Act of 2009 (ARRA). While incentive programs were provided for the use of EHR systems, there was no guidance regarding the security of these systems.
A major reason behind EHR data breach is the lack of safeguards implemented in healthcare institutions with regard to their digital assets. It happens that often hospitals and/or healthcare organizations may not be equipped with the right staff to handle digital threats and basic security methods. An article in Forbes explains that in the black market, while the going rate for social security number is 10 cents and credit card number is worth 25 cents, electronic medical health record (EHR) could be worth hundreds or even thousands of dollars.
Cybercriminals may use these details to –
- file fraudulent tax returns
- create fake identities
- receive health services
- purchase add-ons from the vendors such as birth certificates and passports
- obtain medical insurance by using SSNs and Medicare insurance ID
Medical identity theft is yet another concern. When one person’s medical ID is used by another, the EHR is also modified which affects critical information such as the person’s blood type and current medications, resulting in wrong diagnosis or delayed care.
Some EHRs can be accessed through the IP address of the vendor. Hackers can use force attacks like Ransomware or Wannacry to break into the system. They can also hijack insecure EHR systems, replace encryption keys with their own, and force hospitals for money in exchange for returning the access. Sites that store or provide access to EHR should ideally be accessible through an internal network or VPN.
It is highly recommended that healthcare organizations using EHR software should secure the data by
- educating staff members who access EHRs, on the basics of cybersecurity and risk management
- seeking assistance from security companies to protect data stored within their facilities
- having a robust network security that lessens the chances of attackers using the institution’s own network as a gateway into the EHR provider’s network
It is also important for the vendors of EHR software as well as medical billing companies to provide strong encryption for stored data in order to reduce the impact of data breaches.