Executives say EHR information breaches caused by employees, lost devices

The patient data stored in electronic health information records can benefit physicians through on-site examinations and screenings for potential conditions, but the true value of EHR systems relies on their ability to communicate across provider networks. With an inter connected grid of patient data, large-scale analysis can reveal hidden risks.

The issue with a wide network of sensitive patient data is limiting its access to the right physicians and health care professionals. The Healthcare Information Portability and Accountability Act was drafted specifically to regulate the security of such data, but even with increasing health care IT budgets, executives are finding it difficult to ensure that the right data is seen by only the right people. In fact, according to a recent study by the Ponemon Institute, executives name issues with improper EHR handling and mobile health as topping their lists of security concerns for patient data systems.

Identifying risks
The first step toward patching holes in security systems is determining where those weaknesses are, and the Ponemon Institute's findings point directly to several sources. By surveying 388 health care executives on their opinions on the respective security of their in-house networks, the report was able to gain a comprehensive picture of what plagues the industry's attempts to keep its EHR information where it belongs.

A significant portion of executives – nearly 49 percent – indicated that lost or stolen mobile devices, such as smartphones, computers or tablets that held sensitive information or passwords for access to caches of it, were responsible for data breaches. Slightly behind mobile health concerns was employee error, which 46 percent believed was responsible for lost or stolen information in EHR systems. 

The report also found conflicting attitudes among executives over bring-your-own-device policies that are becoming more and more popular among physicians and health care professionals. According to the survey, nearly 88 percent of executives said they allowed their organizations to operate under a BYOD system, yet only 33 percent admitted confidence in the security of their mobile health systems.

Making sense of security risks
Considering the preponderance of BYOD systems, executives' non-belief in their security effectiveness and their explicitly blaming of mobile health for a significant portion of breaches, irresponsible employees can be the final ingredient in a dangerous combination to patient data stored in cloud-based EHR systems. Rather than hope that things go well on their own, Rick Kam, president of data security firm ID Experts, told Health IT Security that comprehensive security policies should be prized over conscientious workers.

"Where I think [health care organizations are] missing the boat, as we've seen this in several recent incidents, is that health care ecosystems are becoming more and more complex," Kam told the website. "Instead of relying on telling an employee that, for example, they're responsible for protecting [patient health information], there should be technologies and tools in place, such as encryption, that make it less likely that the employee has to do anything to protect the data."

With sound security policies in place, data will be constantly protected, Kam explained, even from employee mistakes and misplaced mobile devices.