Complete the form by inserting your answers and suggestions in the right column. (The column expands as you write.)

Rough Draft/ Electronic Health Records: Are the Benefits Worth the Risk?

Teresa Sly

Rasmussen College

Author Note

            This paper is being submitted on November 15, 2016, for Holli Rich’s GEB 3110 Research and Report Writing course.

Rough Draft

Electronic Health Records: Are the Benefits Worth the Risk?

     On February 17, 2009, President Obama signed into law a $789 billion dollar economic stimulus package, formally known as the American Recovery and Reinvestment Act, or ARRA. Included in ARRA legislation is the Health Information Technology for Economic and Clinical Health (HITECH) Act. The HITECH Act set aside 27 billion for an incentive program that encourages hospitals to adopt electronic health records. Billions more were allocated to help train health information technology workers and assist hospitals and providers to adopt these systems. To gain these incentives providers of health care are required to show that they have achieved “meaningful use” of that system regarding improving quality. At a minimum, that will mean having systems capable of e-prescribing, reporting quality data, and exchanging data among providers (“ARRA Hitech,” n.d.).I believe that in its haste to adopt electronic health records and gain lucrative incentives, the health care industry has overlooked serious security issues. According to an article entitled.“Safety and Privacy in Electronic Health Records,” in The Journal of Biomedical Informatics, the authors state  “there has been little activity in policy development involving the numerous security and privacy issues related to electronic health records.” Moreover, the advances in Information and Communications Technologies have led to a situation in which patients’ health data are confronting new security and privacy threats (Fernandez Aleman, 2013, pp. 541-562).

  The above and following information supports both my hypothesis, electronic health records have many vulnerabilities and shortcomings in regards to protection of patient health information, and my thesis statement, although electronic health records have many benefits, electronic health records are vulnerable to hackers who can steal our personal data for criminal gain. I believe the risks outweigh the benefits.

 According to Richard Clark, former Whitehouse Security Czar, in his address to the Healthcare IT News- Privacy and Security Forum, the year 2015 was among the worst in cyber security across the healthcare sector.  On average, companies that suffered a breach did not know it for 270 days, and some had been breached for seven years without knowing it. In a direct quote from Mr. Clark’s speech he states “You guys know it, Healthcare IT security: you have a bad reputation. “When it gets down to healthcare there’s always a little chuckle about how bad they (EHR security systems) are We can’t put that in a closet and pretend it’s not true (Sullivan, 2015).” This quote leads me to believe that experts in the health care IT field are very aware of the shortcomings in the security of EHR’s

In a personal interview with Candace Fenske Administrator of the Madelia Community Hospital and Clinic on October 25, 2016, I learned that the facility has adopted and uses electronic patient records.  The providers at the facility routinely use the system to order medications, retrieve lab results, send and receive data from affiliated providers, and use computerized physician order entry. I told her that the focus of my questions would be the possible repercussions of a breach of patient data by unauthorized individuals. Ms. Fenske stated that to her knowledgethis has not occurred at the facility, but if it did, the foremost repercussion would be a loss of patient trust in the provider. “In a small independent rural hospital, patient confidence in the staff and the facility is critical.” “There would, of course, be fines to the organization from the resulting HIPAA violations, but again, the loss of trust would be the most devastating consequence.” If patients do not believe that we can keep their personal information private, they will not continue to receive their healthcare here.” When asked if she believes that in its rush digitize our personal health information, the healthcare industry overlooked necessary security measures; Ms. Fenske stated, “There are certainly incentives in place for healthcare organizations to adopt electronic records, and possible fines for those that don’t adopt them. For a hospital to remain competitive it becomes necessary, and yes, with the way technology is advancing, there will always be new cyber threats, and the health care industry has been somewhat naïve about that.” I presented Ms. Fenske with the following data:

• Based on data collected by the Health and Human Services Office for Civil Rights, as of February 1, 2016, protected health information breaches affected over 113 million individuals in 2015. In 2015, hacking incidents comprised nearly 99% of all people affected by breaches, and the number of reported hacking incidents, comprised over 20% of all reported breaches (“Office of the National,” 2016).

• “One overarching finding of our research is that the industry focuses almost exclusively on the protection of patient health records, and rarely addresses threats to or the protection of patient health from a cyber threat perspective (Ponemon, 2016).

• “We found egregious business shortcomings in every hospital, including insufficient funding, insufficient staffing, inadequate training, lack of policy, lack of network awareness and much more. These vulnerabilities are a result of systemic business failures (Harrington, 2016).”

• “These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” said Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas (Terhune, 2015).

      I found her response to the data surprising. She stated, “I don’t find that hard to believe,” but the incidents are probably higher than that, as this is a subject that health care organizations are very reluctant to talk about.” While I saw no intention on Ms. Fenske’s part to be deceptive, I felt that this was certainly a sensitive issue in the health care industry as a whole.  Our interview concluded shortly after that. (C. Fenske, personal communication, October 25, 2016).

     While there is no real way to know what particular breaches of sensitive patient health information have gone unreported, those that have, are staggering. The United States Department of Health and Human Services Office of Civil Rights is required by the Health Information Technology for Economic and Clinical Health (HITECH) Act, to publish a list of breaches of unsecured protected health information affecting 500 or more individuals. The published list must include the names of the private practice providers who have reported the breaches. The list goes back to 2009, and contains 1718 individual entries and contains 18 pages with the last entry on 10/21/2016 (United States, 2016, pp. 1-18).  I believe this, and the information preceding it, support my thesis statement.

     The sheer amount of compromised health information is staggering; due to that fact I will focus my data on those incidents that involve hacking of health information from outside sources. The following statistics also support my thesis.

     Sixty-eight percent of Americans state that they are not confident that their healthcare providers will protect their medical records from loss or theft. Fifty percent of Americans also report that they would lose trust in their provider if it has been proven that they are negligent in the breach of their personal health information (Fifth Annual, 2015).

     According to The Bitglass Healthcare Breach report “Last year in the United States, more than 113 million individuals’ had their personal health information breached due to a hack or IT incident.”  The majority of healthcare records leaked (98 percent) in 2015 were compromised due to large-scale cyber attacks. In 2015, there were 56 breaches due to hacking or IT incidents, compared to 31 in 2014.CEO of Bitglass Nat Kausik States, The 80 percent increase in data breach hacks in 2015 makes it clear that hackers are targeting healthcare with large-scale attacks affecting one in three Americans.  “As the IT revolution compounds the problem with real-time patient data, healthcare organizations must embrace innovative data security technologies to meet security and compliance requirements.”(Pallardy,2016).

     The Health and Human Services Office for Civil Rights also reports that as of February 1, 2016, protected health information breaches affected 113 million individuals in 2015.  Hacking incidents comprised nearly 99% of all persons affected by breaches, and the number of reported hacking incidents, 57, comprised over 20% of all reported breaches (“HHS/OCR Breach,” 2016).

     The five data breaches that affected the most individuals in 2015 as reported by the Health and Human Services Office of Civil Right breach notification portal are as follows:

1. Anthem: 78.8 million individuals affected
   In February 2015, Indianapolis-based insurance payer Anthem reported its network had been hacked. The organization learned of the attack in late January when a systems administrator noticed a database query using his identifier code was running, but he had not initiated the query.

2. Premera Blue Cross: 11 million individuals affected
   On Jan. 29, Washington.-based Premera Blue Cross learned of a cyber attack on its IT systems. The insurance payer notified the public in March, indicating the hack affected 11 million customers, employees, and business affiliates.

3.  Excellus Health Plan: 10 million individuals affected
   New York-based Excellus Health Plan reported a cyber attack in September affecting 10 million records. The payer learned of the attack in August, and an investigation revealed the cyber attackers initially accessed the payer’s IT systems in December 2013. The breach affects members with Excellus plans and other Blue Cross Blue Shield plan members who sought treatment in Excellus’ upstate New York service area.

4. UCLA Health: 4.5 million individuals affected
   The protected health information of nearly 4.5 million people was compromised at UCLA Health when hackers launched a cyber-attack on the health system’s network. The health system learned of the attack May 5 and reported it in July. The initial investigation into the attack suggests the cyber attacker had access to the IT system since September 2014.

5. Medical Informatics Engineering: 3.9 million individuals affected
   The medical software company based in Indiana, Ind., was hacked on May 7 and affected 3.9 million individuals nationwide. The company detected the cyber attack May 26 and reported it June 10 (Jayanthi, 2015).

     The HHS OCR breach portal is required by section 13402 of the HITECH Act to post a list of breaches of unsecured protected health information affecting 500 or more individuals. There are currently 11727 entries beginning on October 21, 2009, and ending on October 26, 2016. I have focused on only those breaches that involved hacking from outside sources in the year 2016. Those breaches totaled four million one hundred and four thousand and ninety-five incidents (“HIPAA for Professionals,” n.d).

     To solve some of the security issues involved in the use of EHR’s, Steve Manzuik, Director of Security Research at Duo Security offers these suggestions for health care facilities to prevent hacking of patient records. He first suggests updating Java and Flash software often used for e-prescribing, as older versions of these programs have vulnerabilities that hackers can exploit. Manzuik also recommends updating devices, browsers, and operating systems. Hackers can easily exploit flaws in an outdated operating system to gain unauthorized access to networks. He also urges health care facilities tospeak to employees and stakeholders about using strong, unique passwords.  Using two-factorauthentication will also add another layer of security to your electronic records. Two-factor authentication is a process in which not only a user name and password are required, but also a second password is known only to each user is needed to access the records. Employees should be cautioned to refrain from opening links or attachments from unknown sources., and lastly, Manzuik suggests that every facility regularly backs up important files (Manzuik, 2016).  Many solutions have been offered to solve security issues related to the adoption of electronic health records, and many like those above, are simple. But the sheer volume of people, especially in a large interconnected organization, accessing personal health information on a daily basis could make even simple security measures difficult.

     I believe that the preceding evidence supports my thesis statement that although electronic health records have many benefits, electronic health records are vulnerable to hackers who can steal our personal information for criminal gain. I believe the risks outweigh the benefits. For our personal health information to remain secure, the health care industry would have to continuously upgrade their systems, and provide ongoing training to employees. This, added to the initially significant expense of implementing the system, makes EHR’s incredibly expensive, especially for smaller practices and those not eligible for government incentives. In 2016 ABC Action News report,  security experts state “for health care, getting hacked is a matter of when, not if (Paluska, 2016). “Do health care organizations now have to add litigation expenses to the already mounting costs of EHR’S? Until the obvious security concerns related to electronic health records can be resolved, I will continue to believe that the risks of EHR’s outweigh the benefits.

References

ARRA hitech act faq’s. (n.d.). Retrieved November 17, 2016, from http://www.arrahitechsolutions.com/ARRA_HITECH_Act_FAQ_s.html

Fernandez Aleman, J. L. (2013). Security and privacy in electronic health records: A systematic literature review. The Journal of Biomedical Informatics, 46(3), 541-562. http://dx.doi.org/10.1016/j.jbi.2012.12.003

Fifth annual study on medical identity theft. (2015, February). Retrieved from http://medidfraud.org/wp-content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf

Harrington, T. (2016, February 23). Hacking hospitals. Retrieved from https://securityevaluators.com/hospitalhack/

HHS/OCR breach portal. (2016, October 26). Retrieved from U.S. Department of Health and Human Services (HHS) Office for Civil Rights. Breaches Affecting 500 or More Individuals database.

HIPAA for professionals breach notification. (n.d.). Retrieved from http://www.hhs.gov/hipaa/for-professionals/breach-notification/

Jayanthi, A. (2015, December 14). The five biggest health care breaches of 2015. Retrieved from http://www.beckershospitalreview.com/healthcare-information-technology/5-biggest-healthcare-data-breaches-of-2015.html

Manzuik, S. (2016, May 26). How hospitals are getting hacked and how you can prevent it from happening to you. Retrieved from ttp://www.healthitoutcomes.com/doc/how-hospitals-are-getting-hacked-and-how-to-prevent-it-from-happening-to-you-0001

Pallardy, C. (2016, January 27). Large scale cyber-attacks account for 98% of breached health records. Retrieved November 5, 2016, from http://www.healthit.myindustrytracker.com/en/article/126184/large-scale-cyberattacks-account-for-98-of-breached-health-records

Paluska, M. (2016, March 28). Security expert: Getting hacked is a matter of when not if. Retrieved from http://www.abcactionnews.com/news/security-expert-getting-hacked-a-matter-of-when-not-if

Ponemon, L. (2016). Securing hospitals. Retrieved from https://www.securityevaluators.com/hospitalhack/securing_hospitals

Sullivan, T. (2015, December 1). 7 cyber threats worse than PHI breaches. Retrieved from http://www.healthcareitnews.com/news/7-cyber-threats-other-phi-or-pii-breaches

Terhune, C. (2015, July 17). UCLA data breach affects 4.5 million patients. Retrieved from Los Angeles Times website: http://www.latimes.com/business/la-fi-ucla-medical-data-20150717-story.html