Electronic Health Records – What are they and how to protect them

An electronic health record is an electronic collection of medical information about a person that is stored on a computer. This might include information about a patient’s health history, such as diagnoses, medicines, test results, allergies, immunizations, and treatment plans. In the industry, these records are sometimes referred to as ePHI (Electronic Protected Health Information) or eHR (Electronic Health Records) and is usually associated with hospitals, health insurance companies, primary care physicians and vendors such as medical payments processors.

EXAMPLES OF ePHI (Table 1)

Medical information is the most sought after information by cybercriminals as it yields the highest prices on the black market. It’s not uncommon for each record to fetch from $250 to $1000 per record. Why so high? hackers can use the type of information from the table above to take out a loan or set up a line of credit under patients’ names. It can also be use to file false medical reimbursement claims and commit insurance fraud. Obviously, these crimes can have significant impacts on the victim as they can struggle to clear their credit ratings and can even sometimes become the subject of a criminal investigation.

The main surveillance body in the US is the HHS (Dept of Health) Office of Inspector General. They provide monthly and annual reports on health breaches and accept complaints via email or contacting their number [email protected] or calling toll-free: (800) 368-1019

The main rule regulating electronic personal health records falls under the HIPAA privacy and security rules in the US. HIPAA (Health Information Portability Accountability Act) was enacted in the mid-90s and was designed to prohibit healthcare providers and healthcare businesses, called covered entities, from disclosing protected information to anyone other than a patient and the patient’s authorized representatives without their consent.

A large part of the need for privacy and security rules was driven from the proliferation of medical applications which are used to share information. Providers are using clinical applications such as computerized physician order entry (CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory systems. Health plans are providing access to claims and care management, as well as member self-service applications. While this means that the medical workforce can be more mobile and efficient (i.e., physicians can check patient records and test results from wherever they are), the rise in the adoption rate of these technologies increases the potential security risks.

The Security Rule requires implementation of three types of safeguards: 1) administrative, 2) physical, and 3) technical.
Specifically, covered entities must:

1. Ensure the confidentiality, integrity, and availability of all e-PHI they create, receive, maintain or transmit;
2. Identify and protect against reasonably anticipated threats to the security or integrity of the information;
3. Protect against reasonably anticipated, impermissible uses or disclosures;
4. Ensure compliance by their workforce.

The Security Rule defines “confidentiality” to mean that e-PHI is not available or disclosed to unauthorized persons. The Security Rule’s confidentiality requirements support the Privacy Rule’s prohibitions against improper uses and disclosures of PHI. The Security rule also promotes the two additional goals of maintaining the integrity and availability of e-PHI. Under the Security Rule, “integrity” means that e-PHI is not altered or destroyed in an unauthorized manner. “Availability” means that e-PHI is accessible and usable on demand by an authorized person.
The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes. The risk analysis affects the implementation of all of the safeguards contained in the Security Rule.
The full text from HHS is found Here.

The Privacy rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information” is information, including demographic data, that relates to:

1. the individual’s past, present or future physical or mental health or condition
2. The provision of health care to the individual
3. the past, present, or future payment for the provision of health care to the individual

The same information as is highlighted in the table at the top of this page is considered personal information. De-identified personal data is not subject to the privacy rule which we will discuss next. The full text of the privacy rule is found here

Yes the HITECH act of 2009 which introduced a new four-tier penalty structure for HIPAA violations, tougher civil penalties for HIPAA violations, a reversal of the “burden of proof” (to show that a data breach had/had not resulted in harm), and – for the first time – Business Associates were held directly liable for data breaches attributable to non-compliance with the Security Rule.

There were also a breach notification rule of 2009 and omnibus rule in 2013. More information can be found Here.

Protecting health records takes a combination of technical and human governance controls to ensure that the confidentiality, integrity and availability of the records are protected.

From a technical perspective, organizations have moved to software automation and artificial intelligence in large part to manage the ever increasing medical data repositories out there. Broadly speaking, software solutions fall into categories of

1. Discovery (of medical information) and application of rules such as de-identification and anonymization
2. Risk management, tracking and treatment software
3. Data-mapping and data-flow Tools and;
4. Automated monitoring (Event logging, AV, and response)

eHR protection software is largely built on automatic identification of data described in table 1 and applying pre-built policies on how to handle it. The truth is that there are alot of discreet technical controls which are built-in to protecting medical data from end-to-end encryption, database encryption, secure protocols, access controls, firewall rules and more which are required from modern organizations.

Software controls need governance which comes from the adoption of frameworks and human oversight. For HIPAA security and privacy rules to work, an ISMS / PIMS (Information Systems Management System / Privacy Information Management System) must be in place. Frameworks such as NIST-800 and ISO 27000 detail governance (and technical) high level controls needed to ensure that privacy and security is implemented properly within organizations. At a more granular level, CIS benchmark standards are used to implement specific settings for VMware, databases and cloud services as an example.

Undoubtedly, ransomware threats from programs such as ‘Locky’ are the main challenge for healtcare institutions. As mentioned previously, prices of up to $1000 per record have been demanded on the black market which compares to about $15 for a stolen credit card. Next to ransomware, are the challenges of staffing of which there is a global shortage. Healtcare does not command top salaries and benefits in comparison to other industries.
There are also endemic problems with outdated systems including legacy medical device software and the security holes they incur.

Lack of Cybersecurity Training

Medical professionals may not have role-appropriate knowledge of cybersecurity, which makes them more likely to click on phishing links and fall victim to other manipulation techniques. In addition, connected medical devices helps medical providers with more data and advanced capabilities, but they’re not always optimized for security.

The switch to telehealth has also introduced security holes in processes and procedures such as insecure meeting links, static passwords and sharing of meeting credentials.

Improving the security in medical settings starts with awareness of the risks and security training. Get in touch with a professional to discuss your needs.