Secure EHR systems can help avoid data breaches, HIPAA fines

Data breaches can be health care IT professionals' worst nightmare. Vital information may be lost or stolen, and the accompanying fines from violating the Health Insurance Portability Accountability Act may approach $1.5 million per violator annually , according to the American Medical Association.

With so much riding on patient data security, best practices should always be followed. However, as the interoperability of electronic health records becomes a focal point of meaningful use requirements in future stages, restricting data to only those who have access may prove difficult. As experts point out security flaws in popular EHR systems and common practices, health care IT professionals should be constantly reviewing their security needs to ensure compliance with all federal regulations and avoid costly fines from breaches.

Assessing EHR security
EHR systems have come under fire since their initial mandate in the health care industry. The 2009 American Recovery and Reinvestment Act began the digitization of medical information, and the 2010 Affordable Care Act prompted an industry-wide mobilization of the software in the hopes of using big data trends to improve patient care.

However, in a column for Search Security, health care IT security expert Joseph Granneman explained how some of the most popular EHR systems on the market today are merely thinly veiled and weakly secured updates to older versions of the software.

"The increased focus on data requirements fueled a rapidly expanding healthcare technology marketplace, but information security was largely only viewed as an afterthought," Granneman wrote in Search Security. "As a result, many of the most popular electronic medical records systems are based on legacy technologies and lack even the most basic security capabilities."

Large hospitals may have the excess profits to throw at ineffective and unsecured EHR systems, but small practices may not have this luxury. An older piece of software with a new coat of paint could lead to security breaches and hundreds of thousands of dollars worth of fines, so Granneman recommended choosing an EHR system that prioritizes data security above all else.

Where to put the data
An EHR system developed with security in mind may help with certain concerns, but how practices choose to store their data poses a whole other cadre of issues entirely. In conjunction with health care IT service firm Iron Mountain, the Healthcare Information and Management Systems Society released a survey on the common data storage practices of 150 senior IT professionals across the country. Unfortunately, the HIMSS found that a significant portion of practices employed storage protocols that may make them susceptible to future breaches.

Of the 150 professionals surveyed, only 52 percent indicated that they actively archived patient data, which would imply that nearly half of the country's practices keep all of their data on hand and immediately accessible. While this may make it easier on physicians who require quick and open access to patient information for accurate diagnoses, the lack of any encrypted archival system means one less barrier for data thieves and hackers.

Moreover, of the 52 percent that did archive data, only 17 percent said they did it out of concern for a secure storage option. The remaining 83 percent admitted their only impetus was compliance.

Michael Leonard, director of product management for Iron Mountain, told Government Health IT that archiving data is not just a good idea from a business standpoint – a vast trove of accessible data places an unnecessary strain on IT budgets – but it could also prevent security breaches.

"Data vital to the business and near-term clinical operations should be backed up to remote data centers, allowing for fast access and protecting the data from extreme weather events or other disasters that could wipe out onsite servers," Leonard told Government Health IT.