Electronic health records (EHRs) offer many benefits, such as centralizing patient information and streamlining communication. These benefits will only grow as technical advancements continue in healthcare. For example, in a Q&A following his HIMSS keynote, Eric Schmidt of Google spoke of the critical role EHR adoption has played in the centralization of patient data, which will make the use of technologies such as artificial intelligence and machine learning possible in the healthcare space.
Adoption of EHRs has reached a high point, with 99% of large hospitals using EHRs in 2017. However, adoption isn’t the problem. The trick for healthcare providers and other entities covered by the Health Insurance Portability and Accountability Act (HIPAA) is to ensure that, as these records become more widely used, shared, and interoperable, there are sufficient security controls in place to ensure regulatory compliance and patient privacy. This is especially true as new initiatives surface to make data more accessible to patients.
The General Data Protection Regulation (GDPR) is one of these. The regulation defines the three types of healthcare-related personal data of European Union residents that are subject to the specific regulation: genetic data, data that concerns physical or mental health, and biometric data. The GDPR prohibits the unnecessary collection of personal data by healthcare organizations and defines four common-sense categories where collection is allowed:
Data has been given with explicit consent from the owner
Data is necessary for the good of the public health
Processing is needed for the purposes of preventative or occupational medicine
Processing data is necessary to the “vital interests” of the patient and provider
To compound the issue, the pandemic spurred a 45% increase in cyberattacks on the healthcare industry. With CIOs being flanked by regulatory entities and cybercriminals, it’s no wonder 31% of hospital CIOs plan to invest more in IT upgrades and general data security in 2021 and beyond.
EHRs, by providing greater visibility into medical history to the patients themselves, are demonstrating real value. Traditionally, patients have not been able to access their medical files stored by their physician. However, recent programs seek to increase patient involvement in their care by allowing them greater access to their medical information through EHRs.
One of these programs is MyHealthEData, which is intended to give patients greater access to EHR data through various devices or applications of their choice. Patients will be able to receive full copies of their EHRs and easily share them with whomever they want. This program also emphasizes placing a focus on interoperability improvements.
All attempts to make health information more accessible, though, will only be successful if patients truly feel secure in receiving these records. In fact, one study found that 25% of patients who were offered access to online medical records chose not to receive them due to security and privacy concerns. To encourage patient engagement through EHRs, providers must ensure that there are security controls and strategies in place that protect patient privacy and maintain regulatory compliance.
Providers must take special care to secure protected health information (PHI) as EHRs become more shareable to mitigate the risk of a data breach and the loss of consumer trust. This means ensuring providers follow best practices and incorporate effective controls to secure records in health databases and in transit to patients, regardless of how they request to access it, such as through an app, email, or any other means.
Before taking any action, providers must get organizational buy-in and open communication with third-party vendors. Providers will also want to review HIPAA guidelines before deploying any EHR tools. Then, when working with third-party EHR developers, providers can ensure compliance and security are being taken into consideration in each iteration.
Once your leadership team understands the value of security the EHR, providers must use a layered approach to enhance EHR security. There are many security tools and practices that can be used to secure EHRs and build trust among users.
Build a Culture of Security. Providers must build a culture around security, educating employees on risk factors and how to avoid them, and making sure they follow protocol when it comes to sharing information and giving access to records.
Cyberthreat Assessment. A threat assessment will spotlight possible gaps in network protection that can lead to data compromise. This will help you verify the current maturity of your security program.
Secure Access. To ensure that only necessary parties have clearance to access private data, healthcare providers must implement a system to authenticate users. An effective identity access management solution will incorporate features such as two-factor authentication and guest and bring-your-own-device (BYOD) management.
Encryption. Encryption is crucial to ensure PHI cannot be intercepted and read in transit.
Internal Segmentation Firewalls. Providers can use internal segmentation firewalls to secure PHI and EHRs being stored in the network. This isolates private data behind an added layer of security to ensure that any threats that break through the perimeter cannot compromise patients’ private data. This will become increasingly important as interoperability between devices takes on a bigger role in healthcare.
Web Application Security. Cybercriminals regularly target web applications. Effective application security, such as a firewall, will ensure that vulnerable applications on patients’ mobile devices cannot be leveraged to compromise patient data when using an EHR app.
Endpoint Protection. Endpoint protection provides visibility into all connected devices accessing the network and allows them to be segmented based on their data permissions. Additionally, endpoint security enables real-time responses to malware and exploit-driven attacks.
EHRs are a tremendous asset to healthcare providers and patients alike, improving efficiency and accessibility of important health information. Increased accessibility requires greater security, though, for patients to place more trust in the technology and for providers to remain compliant with multiple regulations. A strategy of layered security controls will meet the needs of both parties. The recommendations above will help patients and their caregivers move confidently into the future of healthcare.
Read more about Fortinet cybersecurity solutions for healthcare. Read about Halifax Health and Fortinet - "Protecting Patient Data with Firewalls and AI." Read more about the Fortinet Security Fabric and how Fortinet is helping customers transition to the Third Generation of Network Security.