Improving security for electronic health records will enhance trust and unlock their full potential.
A friend of mine recently had a frustrating experience trying to send his medical records to a major hospital. He wanted to email them, however the hospital said no, they only accept faxed records. They said there are simply too many security risks involved with electronic records.
My first reaction was: "Fax? Who has a fax machine?" My second, more serious reaction was that we'll never realize the full potential of electronic health records (EHR, also known as EMR, or electronic medical records) without technologies to better ensure trust, security and privacy.
The promise of EHR is well known; they can lower costs, improve patient outcomes and reduce medical errors. Electronic health records help physicians to communicate better and share their patients' full medical histories rather than snapshot overviews. This gives doctors the information they need to comprehensively evaluate patients and make more accurate diagnoses.
This (along with a federal government mandate) is why the healthcare industry has invested heavily in EHR systems over the past decade. Fewer than ten years ago, 90 percent of office-based doctors in the U.S. updated their patients' records by hand and stored them in color-coded files. But by the end of 2014, 83 percent of physicians nationwide were using electronic health records, up from 61 percent the prior year, according to the U.S. Department of Health and Human Services.
What's more, nearly all the nation's hospitals have adopted certified electronic health records. This is a nine-fold increase over 2008, according to survey data from the Office of the National Coordinator for Health Information Technology.
However, some experts estimate that the healthcare industry spends only between 12 to 13 percent of IT budgets on security, where most other verticals spend upwards of 20 percent. This disconnect stems from security being a compliance-driven requirement instead of an investment in best-in-class practices across the industry.
As my friend discovered, the healthcare industry has never truly overcome its reluctance to share data across networks. Organizations simply do not want to face the risk and public embarrassment that come with security failures. And these security concerns have prevented the industry from reaping the full benefits of EHR.
To me, it all comes down to trust. Health organizations do not trust that their information and patient data will remain safe and protected out in the digital universe.
And for good reason. A number of recent high-profile breaches have propelled the issue of cybersecurity to the forefront in the healthcare world. We've seen hospitals at the mercy of "ransomware" attacks, in which access to patient health data is blocked until a payment is made. In one highly publicized attack last February, hackers unleashed the "Locky" strain of ransomware on Hollywood Presbyterian Medical Center. The hackers demanded $3.4 million. The hospital admitted to paying $17,000 in bitcoins to recover its files.
The healthcare sector needs better ways to protect itself, especially now that it has been singled out by attackers who see it as an easy target.
Healthcare organizations can strengthen their security posture by building resilience into their digital infrastructure. This will enhance their ability to stay in business and minimize damage to their operations, and to their patients, when incidents happen. What does this look like? Here are a few central elements:
• Ensure that your critical systems relating to patient health – such as operating-room IT systems and patient-monitoring systems – are segmented and isolated from other network areas. You need internal defenses between the internet, administrative systems, the network offered to patients, and the parts of the network only appropriate for healthcare staff. Flat, open network design will not stand up to current threats or current regulations. Further, increase your understanding of what applications are running on those critical patient systems.
• Be prepared and able to respond quickly and effectively to any network incident. Rapid response can suppress the threat at vital checkpoints, and prevent an incident from becoming an outright disaster. However, rapid response requires an accurate understanding of your network and its internal defensive barriers. If you do not have this mapped out in advance, you cannot respond effectively when the inevitable breach occurs.
• Back up your data and encrypt it. More than one healthcare organization has been able to thwart a ransomware attack by maintaining alternative access to its patient health data.
• Know where your data is, and who has access to it, in order to protect it. You also need to accurately prioritize your vulnerabilities and invest in incident response.
These components of cybersecurity will bring a measure of confidence, which will – in turn – enhance organizations' trust in their technology systems. As I mentioned earlier, trust is key in the success of EHR. With trust and confidence, the healthcare industry can finally start to reap the rewards of its digital transformation.
Dr. Mike Lloyd has more than 25 years of experience in the modeling and control of fast-moving, complex systems. He has been granted 21 patents on security, network assessment, and dynamic network control. Before joining RedSeal, he was Chief Technology Officer at RouteScience Technologies (acquired by Avaya), where he pioneered self-optimizing networks. Mike served as principal architect at Cisco on the technology used to overlay MPLS VPN services across service provider backbones. He joined Cisco through the acquisition of Netsys Technologies, where he was the senior network modeling engineer.
Mike holds a degree in mathematics from Trinity College, Dublin, Ireland, and a PhD in stochastic epidemic modeling from Heriot-Watt University, Edinburgh, Scotland.
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.