FBI says EHR systems will see increased data security threats

Even though the Centers for Medicare and Medicaid Services is experiencing a degree of executive upheaval, health care professionals should not assume that already established policies on electronic health record systems will change. EHR implementation has steadily increased over the years, and as meaningful use stage 2 continues to underscore the need for greater interoperability of patient data through health information networks, physicians and administrators should be concerned about rising threats to data security.

According to a recent report from the Cyber Division of the Federal Bureau of Investigation, threats to health care systems' data networks are expected to increase. Rises in EHR usage rates and improper security protocols may contribute to the projected surge in traffic. As the Department of Health and Human Services hands out large fines for violations to the Health Insurance Portability and Accountability Act, data security is becoming an increasingly hot issue in the medical industry.

FBI says threats will grow
Health care professionals have treated the CMS coolly in recent months as EHR adoption and ICD-10 preparations continued to interact with complex workflows. This may have led to a slight antipathy toward federal agencies' hands in the health care industry, but when the FBI speaks about data security, the industry listens.

According to a report issued by the FBI in early April, the industry is not currently prepared to withstand the greater surge of breaches. Hackers generally do not even need to resort to advanced techniques, the report argued, as basic intrusion procedures that scan keylogs for a password or overwhelm a network with access requests are often enough to break through data security systems.

The financial and retail sectors face similar threats to the consumer information that they store, though the FBI claimed that the medical community is significantly less suited to withstand an attack than the other two industries. The health care industry must approach this from a different angle. Sensitive patient information is protected by various federal agencies and violating these codes through negligence or lack of good faith in enacting security practices may mean hefty fines. 

In addition to fines to organizations, individuals are also at extreme financial risk. Satnam Narang, security response manager at Symantec, told Health Data Management that if a hacker gains access to an EHR system, that thief may also be able to tamper with medical records.

"The impact that this could have is significant because it could cost a consumer thousands of dollars to have their identity stolen and it can also put their health care coverage at risk, leading to legal problems or inaccurate medical records," Narang warned.

Weighing the costs of security
Some health care professionals may simply see a comprehensive security policy of firewalls, encryption process and automatic login requests as prohibitively expensive. After all, the costs associated with staff members, training and software can seem monumental. However, as the HHS begins to issue large fines to organizations with lax data security policies, the balance may not be on complacency's side.

According to a statement issued by the HHS, Missouri-based Concentra Health Services has been fined about $1.7 million for its inability to sufficiently protect the data stored on a laptop that was stolen from one of its physical rehabilitation sites. The laptop contained an EHR with the information of more than 840 patients.

After Concentra was unable to prove that it had good reason not to implement a data encryption policy between 2008 and 2012, the HHS delivered the heavy fine. While health care organizations may not be able to protect all laptops from theft, they can still protect the data that they hold.