A couple of recent data breaches involving thousands of healthcare records underline the need for vigilance surrounding the security of EHRs.
Last week, Howard University Hospital in Washington D.C. revealed that it had notified over 34,000 patients that a laptop of a former contractor containing patient data was stolen in January from that individual’s car. The laptop was password-protected, but the data was not encrypted, according to the hospital.
In another incident, California Department of Child Support Services lost backup records of 800,000 people enrolled in its programs. The state said the records were lost while returning the media to security contractor Iron Mountain from an IBM facility in Boulder, Colo. In a statement, the government advised that the people whose records may have been lost take steps to prevent identity theft.
While these cases involved the theft of physical items from third-party contractors, there are concerns that data breaches are more likely to occur if EHRs are externally hosted by a third party. However, a recent report from Verizon might alleviate security concerns surrounding cloud based EHRs.
The company’s 2012 Data Breach Investigations Report showed that data breaches were just as likely to occur with internally stored data as they were to files stored externally. This would seem to suggest that there is no connection between data breaches and where the information, like an EHR database, is stored.
The study also showed an uptick in overall data breaches, especially from outside hackers. The report noted a 58 percent increase in stolen records due to hacktivism by groups like Anonymous. About 98 percent of cyber-attacks were committed by outsiders. The report links 70 percent geographically to Eastern Europe, dispelling the notion of a dominant Chinese hacking culture. The report also said that the percentage of internal attackers has diminished significantly over the last few years. Only 4 percent of last year’s attacks were performed internally, down from a high of 48 percent in 2009.
If providers do choose to host data externally, they should look into signing contracts containing indemnification clauses to protect themselves in the event that a data breach does occur. Speaking on a panel at the Heath IT Insight Summit, Kurt Johnson, the Vice President of Strategy and Development at Courion, said many large cloud services providers corporations have yet to embrace these kinds of protections.
“Go online, check out ‘Amazon Cloud Services Contract’, and just look under warranty,” Johnson said.
“You will see there in big bold print there that Amazon does not warrant that the information will be available, protected, free from being stolen… and essentially what they’ll give you if that happen is a credit on your monthly fee. They are absolutely not stepping up to take on any of those kinds of (responsibilities).”
“Indemnification is something that their lawyers are pushing very hard for them to stay away from… This is the most immature aspect of it—(vendors) really taking and standing behind what they’re willing to do there,” he added.