Physicians in all specialties have steadily adopted electronic health records (EHRs). However, as doctors have embraced technology for streamlining patient records, we have seen a marked uptick in data breaches by hackers who want access to the reams of information stored in these systems.
Current State of Electronic Health Records: High EHR Adoption, Low Interoperability
A soon to be published article in Health Affairs outlines the current state of EHR adoption: “Using data from the 2009–13 Electronic Health Records Survey, we found that EHR adoption continues to grow: In 2013, 78 percent of office-based physicians had adopted some type of EHR, and 48 percent had the capabilities required for a basic EHR system.”
This is a good thing in many ways. Technology allows doctors to quickly look at patients’ medical history and search for patterns, making it easier to diagnose conditions and reduce unnecessary testing. Doctors may also be able to track lab results faster and share progress with their patients. But the true potential of EHRs lies in the interoperability of patient records. As doctors begin to use EHRs to securely share health information outside of their organization, a wide variety of providers would be able to access information about a patient’s medication, health issues, and tests. This would be especially useful in emergency treatment situations.
The Health Affairs report, however, found that “physicians’ electronic health information exchange with other providers was limited, with only 14 percent sharing data with providers outside their organization.” Sens. Ron Wyden (D-Ore.) and Chuck Grassley (R-Iowa) recently issued a call for comment on health care data "interoperability." The American Medical Group Association (AMGA) responded: While “[h]ealthcare data, and its transparent use, has the potential to better educate the consumer/patient and drive significant change and improvement in the delivery system...[c]urrently, data is fragmented among provider, payor, and government silos, and often jealously protected.”
The Big Concern: Data Breaches
Ironically, the very technology that allows health records to be exchanged between physicians and hospitals also makes them susceptible to data breaches. Furthermore, because EHRs bundle a lot of important information in one place, hackers have access to personal identification information, insurance information, lab results, and a host of other private, potentially lucrative data.
In April, Reuters reported that the FBI warned healthcare organizations that their electronic data protection systems were lax compared with other sectors. “Health data is far more valuable to hackers on the black market than credit card numbers because it tends to contain details that can be used to access bank accounts or obtain prescriptions for controlled substances.” In a letter circulated to healthcare providers, the FBI stated: "The healthcare industry is not as resilient to cyber intrusions compared to the financial and retail sectors, therefore the possibility of increased cyber intrusions is likely.” (Reuters).
Flash forward a few months to August 20. Last week, the FBI issued a flash alert warning to healthcare organizations that they are being directly targeted by hackers (Reuters).
The FBI alert came shortly after the recent breach of Community Health Systems (CHS), a hospital chain based in Tennessee. CHS is one of the largest hospital operators in the country, with more than 200 hospitals in 29 states. CHS reported in their SEC filing that the breach resulted from a targeted, external cyber-attack of CHS’ computer network in April and June, 2014. CHS believes the attacks originated from China and involved "highly sophisticated malware and technology" that enabled the attacker to bypass CHS’s security measures. The incident is reportedly the second largest HIPAA breach ever reported and the largest hacking-related HIPAA data breach ever reported (iHealthBeat).
According to CHS' SEC filing, the attackers were able to copy and transfer data, including patient names, addresses, birth dates, and, worst of all, Social Security numbers, to networks outside of CHS. Notably, the attackers did not acquire credit card numbers or any medical or clinical information. HIPAA privacy laws, however, cover all of the stolen personal information.
Under HIPAA, covered health care entities and their business associates must analyze internal and external security threats to the data they hold and implement reasonable and appropriate safeguards based on a variety of risk factors, the entity's technical infrastructure, and the costs of the security measures.
In CHS' case, the novelty of the attack may play to their favor. Info Security states: "The widely publicized recent Community Health Systems data breach that compromised the private information of about 4.5 million patients, has been shown to have resulted from the Heartbleed vulnerability – marking the first time Heartbleed has been linked to an attack of this size. According to researchers, these events should point out changing security concerns for the healthcare environment." (Read more about the "Heartbleed" Bug here).
Because the Heartbleed vulnerability had not been used to hack healthcare records in the past, CHS may not have been on notice about the weakness in its security system. "Prior to hitting the news, it would be hard to say they were liable because no one knew about it and everyone relied on SSL, so it was reasonable and appropriate to rely on it as an industry standard at that point," said Perkins Coie LLP partner Dean Harvey. However, "[t]hey would have a hard time under HIPAA saying that they took reasonable and appropriate safeguards if they knew the Heartbleed vulnerability was out there and they didn't apply the appropriate patches," Harvey said. (Law 360). The level of encryption that CHS employed may also play a significant role in the company's potential liability, attorneys say.
Regardless of the merits, according to the National Law Journal, five individuals from Alabama are already suing the company, claiming CHS took too long to report the breach. They allege that CHS didn't give patients enough time to protect themselves from identity theft.
Additional Data Breaches
Capital New York recently ran a story on the recent slew of data breaches:
“The numbers are staggering. The Centers for Medicare and Medicaid Services tracks nearly 300,000 compromised Medicare-beneficiary numbers. The Office for Civil Rights received more than 77,000 complaints regarding breaches of health information privacy and completed more than 27,000 investigations, which have resulted in more than 18,000 corrective actions.
“During the last three years, the U.S. Departments of Health and Human Services has recorded 18 breaches in New York compromising more than 100,000 patient records (though 97,000 came in one breach), including some of the most respected names in the industry such as Memorial Sloan Kettering, North Shore-L.I.J. and Mount Sinai.
Some of the largest breaches have come from medical centers with stellar clinical reputations,” said Ken Rashbaum, an attorney with Barton L.L.P., who specializes in cases related to the federal Health Insurance Portability and Accountability Act (HIPAA), and advises hospitals and health systems on how to remain in compliance with state and federal privacy laws. “Stanford, Johns Hopkins. There have been several others around the country that have had data breaches of one kind or another. There is no correlation between the egregiousness of the breach and the clinical quality of the institution." (Capital New York)
The National Law Review provided a breakdown of recent breaches in the last year involving information held by healthcare providers. (For a full list of breaches, acces the Office for Civil Rights):
- A breach reported by St. Joseph Health System in Texas affecting 405,000 individuals. The breach may have included names, Social Security numbers, medical information, etc.
- A breach reported by UW Medicine in Washington affecting over 76,000 individuals.
- A breach reported by Centura Health in Colorado affecting over 12,000 individuals.
- A breach reported by Nrad Medical Associates in New York affecting 97,000 individuals.
- A breach reported by the Montana Department of Public Health and Human Services affecting over 1,060,000 individuals.
An important takeaway from these latest breaches is that the threat to patients is more than financial. “When someone steals your medical identity and falsely bills an insurance company for an insulin pump, your insurer might conclude that you are diabetic,” states Pam Dixon, executive director of the nonprofit World Privacy Forum based in San Diego. “If a medical record is altered, whether by a doctor or a hacker, those alterations can follow a patient forever, providing subsequent doctors with incorrect medical information that could alter a diagnosis.” (Capital New York)