Improvements in EHR security start with users and IT departments
Community Health Systems, a hospital group, recently announced that over 4.5 million patients' data was accessed by Chinese hackers between April and June, 2014. The attacker or group of attackers used highly sophisticated malware and technology to infiltrate the company's systems. After bypassing security measures, information was transferred outside of CHS and successfully copied.
CHS hired Mandiant, a security incident management provider, to conduct an investigation. It found that, in the past, the intruder sought out intellectual property related to medical devices and equipment development. This time, he, she or they accessed nonmedical information such as patients' names, addresses, Social Security numbers, birth dates and telephone numbers. Credit card and clinical information was not copied.
Health care security needs work
While the effect of the attack is unknown, the security of electronic health record systems could use improvement. A study conducted by BitSight Technologies found that the health care and pharmaceutical industry has lower security ratings than other sectors such as finance, retail and utilities. Additionally, the average event duration of a security breach is about a day longer than the other industries, at 5.3 days. Health care also saw the largest percentage increase in the number of security incidents. In order to become more widely accepted by patients, EHRs need to become more secure.
InformationWeek reported that the Health Insurance Portability and Accountability Act and the Health Information Technology for Economic and Clinical Health Act have adequately protected patient data. However, breaches are occurring due to people seeking out information rather than people forgetting to lock their computers.
"I will never say never, but the health care industry has seen a disproportionately low instance of cyber attacks, and rather a higher proportion of accidental data loss through well-intentioned but risky user behaviors on the device or lost devices," Michael Raggo, security evangelist at MobileIron, told InformationWeek. "A major reason for a low instance of cyber attacks is because stringent HIPAA guidelines are a core part of the data security and compliance strategy of all health care organizations in the United States. That said, cyber attacks are increasing, as are the number of attack vectors organizations need to protect."
EHR vendors, IT departments and end users should collaborate
If the industry is prone to security incidents, then EHR vendors will need to ensure that they are providing optimal support. The same goes for hospital and clinical IT departments. The first step would be to prevent medical devices from accessing the websites. These computers need to be dedicated to working with EHR systems. Bring-your-own-device policies should only be implemented if IT staff can provide protection. Monitoring the usage of applications is not easy, but if doctors want to bring in their own iPads, it is a necessary step.
The CHS data breach was caused by malware. Malware can access a data center through an end user who did not have enough protection on one of his or her devices. It can be downloaded from websites or emails as well as installed via autorun commands after a USB flash drive is inserted.
According to ZDNet, the spread of malware is caused by users and can only thrive on computers that are not up to date with security updates. Additionally, malware can be on any device, including Apple computers and smartphones. It is also easier for an end user to spread malware to a host, or data center, than for it to come the opposite direction. No one should ever use a device to connect to an EHR system without an IT department's approval. However, data breaches are not only the user's fault. Clinics should outsource their IT staff if they cannot afford to have someone work full time. Security-as-a-service providers will be able to apply programs and protocols that ensure data breaches become concerns of the past.