Electronic Health Records Security: Lessons From Target

 

What’s the Target data breach got to do with healthcare?

This week the giant retailer Target replaced Healthcare.gov as the big information-technology story. The news, of course, is that as many as 40 million Target customers may have had their credit card data stolen by Internet hackers.

The fallout is huge: a security expert at the research firm Forrester estimates that the costs to Target may exceed $100 million.

Why should health care providers care about Target’s travails? Because the latest hacking news is more evidence of the mushrooming abundance of Internet hackers and of the vulnerably of digital information.

Hacking is a worldwide growth industry for a reason. There’s a lot to steal on the Internet and plenty of places to steal it, both in storage and in transit.

Anything that’s on the Internet can be hacked: desktop computers, laptops, routers, modems, printers, surveillance cams, webcams, IP cameras, VPN appliances, VOIP phone systems, FM radio transmitters, storage drives, video conferencing systems and climate-control modules.

Let’s add one more to the list: electronic health records.

False sense of security

Many healthcare professionals think of EHR as the data in a hospital or practice’s own software database. Often the database resides in a dedicated server in the hospital or practice offices.

The server’s on-site location may lead to a false sense of security, since the EHR server may be connected to the Internet and thus accessible to anyone else on the Internet.

Another source of accessible data is health care providers’ websites, many of which contain what could be interpreted as electronic health records.

If your practice website has a “contact us” form or an online appointment request form, then it’s collecting and storing personal information from individuals filling out those forms, even if it’s only their names and telephone numbers. By disclosing as little as a name and contact information, someone who asks for an appointment on the website of, say, an oncology practice or a fertility clinic may be identifiable to an outsider as a cancer sufferer or unable to conceive.

If that information falls into the wrong hands, the consequences to the affected individual may be of loss of a job, insurance benefits or a marriage partner. Not good.

Or, alternatively, patients may become upset to know simply that extra care is not being taken to protect sensitive information.

Perception as reality

Let’s pick a few nits here. Sure, perhaps the form user is neither a cancer sufferer nor infertile. The user could easily be a family member of a prospective patient acting on his or her behalf.

It doesn’t matter. The mere implication that the form user is battling either cancer or infertility still puts him or her at risk.

One other nitpicking point: it’s not actually EHRs but the personal health information (PHI) contained therein that really matters. We’re concerned about protecting EHRs only because they hold the kind of PHI that’s protected by federal and state laws.

Nitpicking aside, the point is that website form data is often stored in a database on the same server as the website itself. And hackers can get to the website database just as easily as they might tap into Target’s cash registers, or into laptop computers, routers, webcams, and so on.

What can I do to protect patient privacy online?

So how can healthcare professionals battle sophisticated cyber rogues spread across the globe? In electronic health records security, a few ounces of prevention may make all the difference:

Update the medical practice’s website regularly with security patches. Crooks figure out new hacking techniques every day. As soon as they do, website software developers quickly issue software safeguards called patches.

News of updated security patches is usually emailed to website managers or posted as alerts directly in the back end of a website. Make sure your webmaster subscribes to notifications.

Use a popular website platform. In information technology, a platform is the underlying computer language supporting specific applications. Common computer languages for web platforms include PHP, ASP.NET and JSP.

What’s important is not deciphering this alphabet soup but ensuring that your website is running on a popular, well-known system based on these common languages. Examples include Drupal, WordPress and Joomla! – all known as open-source content management systems, meaning the software is free and open to thousands of web developers around the world.

The payoff is the availability of thousands of safe and proven applications as well as regular security updates both from each system’s official developers and from independent developers.

Avoid sending patient information by ordinary email. Unencrypted email is not a highly secure method of transmitting information. Third parties can comparatively easily intercept and read this kind of email. In contrast, encrypted emails, which require special software, offer far more security.

Some of our client physicians have innocently sent us unencrypted emails with attached spreadsheets with information on hundreds of patients, not realizing the risk.

In addition, the contact-us and appointment-request forms on some medical practices’ websites are configured to send all data entered into the forms via unencrypted email.

Making a practice more hacker-resistant

Attorneys specializing in health care law say that HIPAA and other regulations are not entirely consistent or clear on the level on standards of online security. As of this writing, HIPAA does not require encryption of stored or transmitted patient data. But HIPAA is more forgiving in security breaches when data has been encrypted.

It’s helpful to remember that cyber thieves are predators looking for the easiest prey. Taking a few extra precautions with electronic health records security will boost the odds against a private medical practice becoming the next Target.