The move to electronic health records (EHRs) over the past few decades has helped to boost operational efficiency in the healthcare industry while improving the speed and quality of care. With electronic records, healthcare organizations are better able to capture and rapidly share complete, up-to-date information about patients in a way that simplifies administration and reduces costs.
But at the same time, the rise of EHRs has also created new risks. Now that sensitive patient information is in a digital format, cyber criminals have more opportunities for illicitly accessing that information, holding it hostage, or stealing it for identity theft and fraud. As a result, organizations must spend substantial time and effort protecting EHRs and complying with strict security and privacy regulations.
How can your organization better protect EHRs and comply with regulations while still maximizing the value of EHRs for enhancing efficiency and improving the quality of care? Start with an understanding of key regulations and best practices. From there, you can build a robust strategy to safeguard records without sacrificing the benefits they can offer.
The Pros and Cons of EHRs
When clinical information systems and electronic medical record (EMR) systems were first introduced in the 1960s and 1970s, they were typically limited to large hospitals, universities, and government organizations. But over the 1980s and 1990s, as computer technology became less expensive, a wider array of providers began to adopt EHRs and replace paper-based records.
EHR mandate: HITECH
The enactment of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 drove a rapid increase in EHR adoption. The act incentivized adoption of new technologies in healthcare. It also mandated that providers implement and demonstrate meaningful use of EHRs to maintain their existing Medicaid and Medicare reimbursement levels.
Before 2009, fewer than 10 percent of non-federal acute-care hospitals were using EHRs. By the end of 2021, more than 96 percent of these hospitals were using EHRs. Other types of providers have shown similar large-scale shifts from the old days of paper record keeping.
Benefits of EHRs
With the mandate to move to EHRs, more organizations are experiencing their potential benefits, including:
- More complete records: EHRs make it easier to assemble complete, accurate, and up-to-date patient records.
- Improved collaboration: EHRs facilitate collaboration across multiple providers.
- Enhanced efficiency: EHRs have eliminated time-consuming, costly paper-based work such as physically copying documents and images, and transporting files between providers. EHR systems can also enhance the efficiency of scheduling, billing, and patient communications.
- Reduced errors: When providers can more easily access complete, up-to-date patient records, they are less likely to prescribe medicines that could trigger dangerous allergic reactions or have problematic interactions with existing prescriptions.
- Increased patient engagement: Providers can more easily share health information directly with patients, encouraging them to become more engaged with their own care.
Overview of security, privacy, and accuracy concerns
As cyberattacks in healthcare continue to multiply, it’s not surprising that healthcare organizations and patients are increasingly concerned about data privacy and security. Organizations recognize that they need better ways to protect EHRs, and all the sensitive information they contain, from unauthorized access. If cyber criminals can access these records—through ransomware schemes or other types of attacks—they can demand hefty ransoms or conduct identity theft and fraud.
Inadvertent disclosure of the sensitive information contained in EHRs is another concern. Employees might jeopardize privacy and compliance by accidentally disclosing the PHI within EHRs. For example, a provider might mistakenly share a medical record of the wrong patient with another provider, which could violate regulations for maintaining patient privacy.
Meanwhile, healthcare organizations and patients also have legitimate concerns about the accuracy of EHRs. Just like paper records, EHRs can contain incorrect information that might cause harm to patients. Inaccurate information about medication, lab results, or medical histories, for example, could lead clinicians to make the wrong decisions about care.
Regulating Security and Privacy
Protecting sensitive patient data and maintaining privacy were among the key goals of HIPAA (the Health Insurance Portability and Accountability Act of 1996). The law clearly defined
protected health information (PHI) and established standards for keeping it safe. Consequently, HIPAA has important implications for how organizations should implement, use, and protect EHRs.
Security Rule
The HIPAA Security Rule, created by the U.S. Department of Health and Human Services (HHS), provides guidance for protecting patients’ PHI and electronic PHI (ePHI).
The rule mandates that organizations must:
- Ensure the confidentiality, integrity, and availability of ePHI
- Identify and protect against threats to the security or integrity of information
- Protect against impermissible uses or disclosures of information
- Ensure workforce compliance
The rule also provides some instructions for how organizations should adhere to those requirements through physical, technical, and administrative safeguards. For example, organizations must: ensure that physical facilities housing ePHI are fully secured; implement sufficient data access controls; and conduct risk assessments to identify vulnerabilities.
Privacy Rule
The HIPAA Privacy Rule, also created by HHS, sets standards for protecting the privacy of patients’ medical records and other PHI. The rule restricts how and when PHI can be disclosed without an individual’s authorization and establishes an individual’s rights to PHI. The rule highlights the need for balancing data protection with the flow of information: The goal is to permit some important information uses while also protecting patient privacy.
Best Practices for Securing EHR systems
How can organizations best protect EHRs and comply with HIPAA rules? The best strategies will incorporate multiple layers of security.
Access controls and authentication
Implementing robust access controls and authentication methods is critical for protecting the sensitive information in EHRs from both external and internal threats. In particular, employing role-based access controls will help ensure that users can access only the minimum amount of information they need for their role and nothing more. With these controls, you can limit unauthorized insider access and prevent attackers from having free rein within your network even if they steal an authorized user’s credentials.
Using multi-factor authentication (MFA) adds another layer of defense. By requiring users to augment their password with an additional means of authentication, such as a USB key or facial recognition, you can stop attackers with stolen credentials from accessing EHRs.
Data encryption
Data encryption is another essential means of protecting the PHI within EHRs. By encrypting data in transit and at rest, you can prevent attackers from using sensitive information even if they find a way to access it. Without the decryption key, attackers will be unable to read data.
Antivirus software, firewalls, network monitoring
Many cyberattacks that target PHI and EHRs start with phishing. Attackers attempt to fool users into clicking on links within emails or text messages that take them to spoofed websites. Users are asked to input login credentials, which attackers then steal and use to gain access to networks. The attackers can then implant ransomware or other malware that homes in on EHR systems.
Deploying antivirus and anti-malware software can help stop ransomware and malware before it executes. Meanwhile, firewalls can block malware from entering networks, and network monitoring tools can help identify malware communications with command-and-control servers.
System updates and patches
Updating applications and operating systems should be an essential component of your multi-layered defense strategy. Software vendors are continuously monitoring threat activity and attempting to identify—and fix—vulnerabilities in their products. Installing updates and patches promptly and completely across your IT environment can help prevent attackers from infecting your network and compromising EHRs.
Regular security audits and penetration testing
Securing EHRs requires continuous effort. As IT environments evolve and attackers develop new tactics, you need to make sure no new gaps appear in your defenses. Even after your team has implemented key security controls, you should conduct regular security audits to find any vulnerabilities. Running penetration testing, in which you simulate an attack, can help you identify possible weak spots and fine-tune your attack response plan.
Staff training
Your employees can play a vital role in protecting EHRs. They should be trained on how to spot potential attacks—such as phishing attempts—and how to report them to the right teams. At the same time, they should understand why it is critical to follow all security policies, including setting robust passwords and using MFA. They should also be taught best practices for handling PHI and working with EHRs to avoid accidental disclosure of information.
Security Breaches
What can happen if cyber criminals manage to access EHRs? Some well-publicized data breaches over the past decade—involving EHR systems and other IT environments with PHI—
demonstrate the serious damage attacks can cause.
Major data breaches
The largest breach of PHI in the last decade occurred in 2015, when Anthem Blue Cross Blue Shield was attacked. Approximately 78.8 million individuals were affected, including both current and former policyholders. Hackers stole personal information including names, birthdates, social security numbers, income data, home addresses, and email addresses.
The next largest breach occurred in 2018–2019, when more than 26 million individuals were affected by a breach of American Medical Collection Agency (AMCA) systems. Stolen data included social security numbers, payment card information, and medical information for some individuals.
These types of attacks are not slowing down. In 2023, for example, the HHS Office for Civil Rights (OCR) received reports of 725 data breaches, with more than 133 million records exposed or disclosed. This was the largest number of breaches and records exposed since 2009, when the OCR started keeping records.
Impacts on healthcare organizations and patients
When a data breach occurs, the impact can be enormous for both healthcare organizations and patients. Healthcare organizations can suffer severe financial consequences. If they are subjected to a ransomware attack, they might need to pay a ransom, then recover data and restore systems, conduct investigations, and remedy security vulnerabilities. Service disruptions can cause losses in revenue. Those revenue losses can extend for months if organizations suffer reputational damage that keep away patients or customers. Organizations might also need to pay fines, offer identity protection for affected individuals, and pay legal settlements.
If sensitive patient information is stolen from EHRs and sold, patients could experience issues for months or years. For example, they might be subject to identity theft. If their healthcare records are altered, their safety and future care could be at risk. Patients often need to use credit monitoring services to quickly identify any attempts to steal their identity.
Maintaining Patient Trust
In addition to following government regulations and implementing multiple layers of security, healthcare organizations have to earn and maintain patient trust. Given the high incidence of data breaches, across multiple industries, many patients are rightly concerned that their information could be stolen or misused.
There are several best practices healthcare organizations can employ to bolster patient trust:
Transparency: Healthcare organizations should be transparent about their EHR privacy policies. Patients should understand what organizations are doing to protect their information and how that information might be accessed or shared.
Patient access and control: Organizations should give patients access to and control over their own records. Patients should be able to easily access their records and decide when to share information with their selected providers.
Clear communication: Providing transparency and control requires clear communication. Organizations must present policies and offer guidance on how to access records in ways that are simple for patients to consume.
Looking Ahead
The emergence of new technologies will no doubt change how EHRs are used, accessed, and protected. For example, the integration of artificial intelligence (AI) into EHR systems could help further enhance their efficiency by generating progress notes, responding to patient questions, and automatically producing diagnostic codes. The use of blockchain—a distributed digital ledger technology—could help preserve data privacy by tightening access to EHRs.
Meanwhile regulations and standards will likely evolve. To address new technologies and threats, government agencies will fine-tune rules and recommendations to help ensure that patient information remains secure and private.
Protecting EHRs and navigating these changes can be challenging for healthcare organizations. In many cases, organizations will benefit from working with outside experts and managed service providers (MSPs), who can share best practices and relieve IT teams of administrative burdens. With the right partner, you can maximize the benefits of EHRs for your organization and patients while keeping sensitive information secure.
Ready to strengthen your strategy for protecting EHRs? Cloudticity can help. Contact us to set up a free consultation.