Preventing EHR data breaches

Focus should be on file storage, transmission and destruction

Large data breaches involving sensitive patient information are, unfortunately, all too common and with more and more healthcare organizations using electronic health records (EHRs), companies need to be very concerned about the protection of their data.

According to George Hickman, board chair of the College of Healthcare Information Management Executives (CHIME) and Albany Medical Center CIO in Albany, N.Y., “Since 2009, healthcare organizations have reported 385 breaches affecting more than 19 million patient records. Three of the top five all-time breaches since August 2009 have involved business associates - entities that providers rely on, such as vendors, suppliers, consultants and contractors. In fact, 59 percent of all breaches have involved business associates.”

Greg Bartels, president and CEO of IPS, a company that helps companies digitize their various business processes through eliminating paper in Secaucus, N.J., said that while EHRs are important to today’s healthcare organizations, the way in which the information is digitized and transported is vital.

“With people who can hack into the system, you have to have a layer of security on the infrastructure (the networks) side of it that is extremely strong,” said Bartels. “There should also be security on who has access to the data in the system so not just anyone working can come in and transfer the data onto another device.”

Robert Shaughnessy, chief technology officer at Circadence, a WAN optimization company in Boulder, Colo., said it’s important that sensitive data being sent from one place to another over a network should be extremely secure at the endpoints.

“One of the things to note when it comes to EHR is why they’re being put into that format to begin with – it’s not just for ease of storage but also for access. One of the qualities of the best care is access to care. The ability to maintain that security while doing that is essential,” said Shaughnessy. “A lot of information we deal with is actual raw information like patient studies that have to be carefully dealt with. Our software is designed to maintain that security.”

Data encryption on all devices – including mobile devices such as smartphones and iPads – is also key because so many data breaches come from stolen or lost laptops and phones, said Sean Glynn, vice president of marketing at Credent, a data encryption company in Addison, Tex.

“At least a third of data breaches are from lost or stolen data at the endpoints, such as backup drives, laptops and mobile devices,” said Glynn. “There are significant penalties from the government in case of a breach. With encrypted data, there’s no need to pay fines, you just replace the hard drive of the device.”

When it comes time for a healthcare company to upgrade its electronic equipment, it’s important that all sensitive data be removed or destroyed securely from all devices, said Steve Skurnac, president of Sims Recycling Solutions, a nationwide e-recycling company.

“There are many laws with how patient data must be protected when it becomes to the recycling or disposing of electronic devices like laptops and printers. HIPAA rules are specific,” said Skurnac. “We stress from the recycling point of view that data is still residing on hard drives of servers or laptops or printers, etc. We encourage companies to make sure that any electronic recycling vendor they pick is somehow guaranteeing the destruction of their data.”


Show All Comments