Eileen Erdos, a principal in the EY Fraud Investigation & Dispute Services’ Life Sciences practice, spoke with HealthITSecurity.com about the importance of EHR security.
- Without strong EHR security, it could be extremely difficult to not only prevent healthcare data breaches, but also to react to them accordingly. With medical identity theft being an extremely lucrative option for cyber criminals, healthcare organizations need to take the proper precautions to keep patients’ protected health information (PHI) secure.
Eileen Erdos, a principal in the EY Fraud Investigation & Dispute Services’ Life Sciences practice, discussed the dangers of medical identify theft with HealthITSecurity.com, and what organizations can do to ensure that patient data remains secure.
Medical identity fraud is far more lucrative than financial identity theft, Erdos said.
“It’s not just a matter of financial reputation, but this can impact patients’ health – patients’ lives,” she said. For example, if someone is stealing a patient’s identity and using it to receive care, along with billing benefits, that could become dangerous for the actual patient.
With more healthcare organizations implementing EHRs, Erdos said that they are going to be at a greater risk for a potential data breach. However, the increase in data breaches stems primarily stems from an increase in the usage of electronic data and transmission of that data. Other organizations have greater experience in handling security breaches and their aftermath, Erdos explained, such as financial service firms and credit card companies.
“While medical identity theft is not necessarily a new issue, it is something that we’ve seen for a long period of time,” Erdos said. “The fact that you have much more information available electronically makes it easier for thieves to get at that information. The use of electronic records certainly increases the risk for breaches to occur.”
With the HITECH Act, healthcare organizations will soon be penalized if they have not implemented EHRs, Erdos pointed out.
“The challenge is that while all of these different organizations are increasing their use of EHRs, they don’t necessarily have the same level of resources or competency available to manage the risks,” Erdos said.
Smaller doctor’s offices, or independent healthcare organizations, are going to have different levels of resourcing and competency available to them, she added. Those smaller firms are going to likely be at a higher risk simply because they don’t have the degree of sophistication or resourcing around protecting the data in the first place.
However, an important thing to remember is that the size of the organization does not matter when it comes to creating a type of action plan.
“There are key steps that need to be taken when using EHRs,” Erdos said. “And this requires providers to be prepared.”
For example, healthcare organizations need to have a plan up front to safeguard physical assets. This includes paper records, EHR machines and any portable devices being used. Moreover, safeguards need to be in place for a facility’s cyber assets – the actual electronic health information. According to Erdos, this requires healthcare organizations to think about having the right policy and protocols in place, along with the proper staff training.
“Regardless of the size of the organization, the data you have is incredibly valuable,” Erdos said. “It’s not a question of ‘Are you going to get hacked?’ It’s a matter of when it is going to occur.”
Because of that, healthcare organizations need to be prepared, have the correct proactive monitoring in place and have a cybercrime response plan in place.
What does the future hold?
The outlook is not entirely bleak for the healthcare industry, Erdos said. There have been “a number” of well-publicized breaches recently, in the healthcare sector and others. The threat is not expected to diminish anytime soon, she said. However, more board-level executives are becoming concerned about the threat, Erdos explained.
“They’re taking much more interest in understanding what organizations are doing to protect themselves,” Erdos said. “Like any other area of risk, once you get that board level of involvement, there tends to be much more focus in terms of getting the right type of controls in place, making sure that there are appropriate resources for it and bring in the right competencies.”
Health data breaches will continue to be a risk, and it’s likely going to take time for the healthcare industry to achieve the same type of security levels seen in some of the more matured industries, Erdos explained. No one will be able to ever fully block all types of cyber attacks, she added.
“Someone is always going to be able to come up with a way to penetrate your systems,” Erdos said. “It’s just a matter of being able to have the right kind of processes in place should something occur, and then be able to quickly respond to it.”