What Increased EHR Accessibility Means for Cybersecurity

Electronic health records (EHRs) offer many benefits, such as centralizing a patient’s information and streamlining communication. These benefits will only grow as technical advancements continue in healthcare. For example, in a Q&A following his HIMSS keynote, Eric Schmidt of Google spoke of the critical role EHR adoption has played in the centralization of patient data, which will make the use of technologies such as artificial intelligence and machine learning possible in the healthcare space. Today, more than 95% of hospitals are using EHRs, and 38% of hospital chief information officers cite EHR integration with other systems as a top priority.

>> READ: WannaCry, NotPetya, and Cyberwarfare’s Threat to Healthcare

The trick for healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) is to ensure that, as these records become more widely used, shared, and interoperable, there are sufficient security controls in place to ensure compliance and patient privacy. This is especially true as new initiatives surface to make data more accessible to patients.

The General Data Protection Regulation (GDPR) is one of these. The regulation defines the 3 types of healthcare-related personal data of European Union residents that are subject to the specific regulation: genetic data, data that concerns physical or mental health, and biometric data. The GDPR prohibits the unnecessary collection of personal data by healthcare organizations and defines 4 common-sense categories where collection is allowed:

• Data have been given with explicit consent from the owner
• Data are necessary for the good of the public health
• Processing is needed for the purposes of preventative or occupational medicine
• Processing data is necessary to the “vital interests” of the patient and provider

Enabling Greater Access to EHRs

EHRs, by providing greater visibility into medical history to the patients themselves, are demonstrating real value. Traditionally, patients have not been able to access their medical file stored by their physician. However, recent programs seek to increase patient involvement in their care by allowing them greater access to their medical information through EHRs.

One of these programs is MyHealthEData, which the Trump Administration recently announced. It is intended to give patients greater access to EHR data through various devices or applications of their choice. Patients will be able to receive full copies of their EHRs and easily share it with whomever they want. This program also emphasizes placing a focus on interoperability improvements.

A new bill, the Ensuring Patient Access to Healthcare Records Act, was recently introduced in an effort to give patients better access to complete medical histories through medical record clearinghouses. These clearinghouses hold records on treatment plans, diagnoses and more, as they process transactions for thousands of medical providers across the United States. This means that they have all of this medical data already compiled in a single location. This bill would alter how clearinghouses are described under HIPAA, allowing them to disclose patient data in accordance with the security and privacy rules.

All attempts to make health information more accessible, though, will only be successful if patients truly feel secure in receiving these records. A recent study found that 25% of patients who were offered access to online medical records chose not to receive them due to security and privacy concerns. To encourage patient engagement through EHRs, providers must ensure that there are security controls and strategies in place that protect patient privacy and maintain regulatory compliance.

>> LISTEN: A New Kind of Warfare

Recommendations for Securing EHRs

Providers must take special care to secure protected health information (PHI) as EHRs become more shareable to mitigate the risk of a data breach and the loss of consumer trust. This means ensuring providers follow best practices and incorporate effective controls to secure records in health databases and in transit to patients—regardless of how they request to access it, such as through an app, email, or any other means.

First, though, providers need to determine the maturity of their security program, get organizational buy-in, and open communication with third-party vendors.

Conducting a cyberthreat assessment spotlights possible gaps in network protection that can lead to data compromise. Additionally, providers must build a culture around security, educating employees on risk factors and how to avoid them, and making sure they follow protocol when it comes to sharing information and giving access to records. Providers will also want to review HIPAA guidelines before deploying any EHR tools. Then, when working with third-party EHR developers, providers can ensure compliance and security are being taken into consideration in each iteration.

Next, providers must use a layered approach to enhance EHR security. There are many security tools that can be used to secure EHRs and build trust among users.

• Secure Access. To ensure that only necessary parties have clearance to access private data, healthcare providers must implement a system to authenticate users. An effective identity access management solution will incorporate features such as 2-factor authentication as well as guest and bring-your-own-device management.
• Encryption. Encryption is crucial to ensure PHI cannot be intercepted and read in transit.
• Internal Segmentation Firewalls. Providers can use internal segmentation firewalls to secure PHI and EHRs being stored in the network. This isolates private data behind an added layer of security to ensure that any threats that break through the perimeter cannot compromise patients’ private data. This will become increasingly important as interoperability between devices takes on a bigger role in healthcare.
• Web Application Security. Cybercriminals regularly target web applications. Effective application security, such as a firewall, will ensure that vulnerable applications on patients’ mobile devices cannot be leveraged to compromise patient data when using an EHR app.
• Endpoint Protection. Endpoint protection provides visibility into all connected devices accessing the network and allows them to be segmented based on their data permissions. Additionally, endpoint security enables real-time responses to malware and exploit-driven attacks.

A Secure Future

EHRs are a tremendous asset to healthcare providers and patients alike, improving efficiency and accessibility of important health information. Increased accessibility requires greater security, though, for patients to place more trust in the technology and for providers to remain compliant with multiple regulations. A strategy of layered security controls will meet the needs of both parties. The recommendations above will help patients and their caregivers move confidently into the future of healthcare.

About the author

Jonathan Nguyen-Duy is vice president, Strategic Programs at Fortinet, where he focuses on emerging technologies and key partnerships. He has unique global government and commercial experience with a deep understanding of threats, technology, compliance and business issues. Previously, Nguyen-Duy was Security CTO at Verizon Global Security Services. Before joining Verizon, he served with the U.S. Foreign Service, gaining more than 15 years of security and BCDR/COOP experience around the world. Nguyen-Duy holds a BA in International Economics and an MBA in IT Marketing and International Business from the George Washington University.

Get the best insights in healthcare analytics directly to your inbox.

Related

Podcast: Finding Orangeworm

A Curious, New Hardware Fix for Cybersecurity Vulnerabilities

What Keeps Healthcare Cybersecurity Innovators Up at Night