Over the last few years healthcare industry has been an easy yet lucrative target for cyber hacking. FortiGuard Labs reports that in 2017 healthcare saw an average of almost 32,000
intrusion attacks per day on average per organization as compared to over 14,300 per organization in other industries. This is because of a number of reasons:
- Cybersecurity is still at an early stage in healthcare
- Healthcare data tends to be richer in both volume and value than financial services or retail sector.
- Medical identity fraud takes longer to detect than other types
Keeping this threat environment in mind it is imperative for hospitals and practices to implement measures that can reduce their exposure. The government has enacted Health Insurance Portability and Accountability Act (HIPAA) which requires practitioners to follow guidelines to ensure the safety of patient’s data. In case of in-compliance, the practitioner does not only face stringent penalties but also a loss of reputation as patients no longer trust your practice to keep their confidential information safe.
Often times physicians are caught off guard as their medical software and equipment are HIPAA compliant by virtue of which they assume their practice is too, which is not the case. While some EHR systems and their related equipment have security features built into or provided as part of a service, they are not always configured or enabled properly. In addition, medical equipment is often web-enabled (can connect remotely to send information to a server), but that equipment may not be checked for proper security.
As the guardian of patient health information, it is your responsibility to learn and understand the basic features of your IT assets and medical devices, what security mechanisms are in place, and how to use them. Here are a few basic must have/enabled security features in your EHR:
Before buying any EHR system practitioners need to check whether the system has an audit trail feature. An audit trail system tracks each access to your system with details such as username, location, activity performed, date as well as time.
User Access Restriction
Not everyone needs to access every part of your EHR. Your EHR should allow you to set user access restrictions which limits access to certain information depending on people’s role in your practice.
Encryption of data
EHRs should encrypt patient data, which helps to protect data if hardware is stolen or messages are intercepted. That means your patient’s health information cannot be read or understood except by those using a system that can “decrypt” it with a “key.”
State-of-the-art data centers.
Any major cloud provider worth its salt will continually invest significant resources and expertise into building and maintaining world-class data security, which means they typically offer better privacy than in-house systems. As such, they will have state-of-the-art data centers that are built to defend against both cyber and physical threats. These types of data centers possess bank-level security, sophisticated encryption methods, and real-time surveillance.
Ask your vendor for security details about its operations—online and off. And keep in mind that this is basic information that every trustworthy vendor should be willing to provide.
Access to real-time expertise.
When it comes to protecting sensitive data, people matter. So, be sure that any potential technology partner has specialized staff trained in online security measures. These experts can help you proactively address a security threat, sparing you from a potentially serious problem.
Allow only protected mobile devices
An Electronic Health Record (EHR) system allows both practitioners and patients to exchange information through mobile devices, laptop, and their PC. On the one side, it ensures smooth transition of healthcare services but there are some security issues with mobile devices and laptop which must be taken into consideration. All mobile devices are not well equipped with strong authentication controls and thus data can be vulnerable to electronic theft. Therefore, it is essential to consider that your EHR only integrate and communicate with those mobile devices which support data encryption.
Ask your Health IT Vendor the following questions
Last but not the least, remember to ask your EHR vendor the following questions :
a) Does the EHR support ePHI encryption?
b) Does it contain audit trail feature?
c) Does it give emergency access?
d) Does the system keep back up files?
e) How the recovery processes work?
f) Is the user ID and password unique and strong?
g) When IT Health Providers contact my staff, how would my staff identify whether he is IT Health Providers or hacker?
If your desired vendor is not forthcoming with their answers it’s a clear red flag to start looking elsewhere. You can read out review on vendor’s business practices here.