Healthcare Breaches and EMR Adoption

With a certain Ms. Madison recently dominating headlines (even earning shout outs on hit TV series), it might be easy to forget that other hacks—less scandalous but just as symptomatic—continue apace.  Healthcare, in particular, remains an attractive industry for cyber criminals to target.  People’s medical information can net thieves a much better payday, after all, than other data like credit card numbers and SSNs.  Through April of 2015, in fact, healthcare, from providers to business associates to clearing houses, accounted for approximately 34% of all data breaches.  No more incentive should then be required for healthcare entities to have both safeguards and thorough response plans in place for when incidents like these occur to them.  Yes, that’s when, not if.

Boston University did it right—well, right as could be after an infiltration, when they were notified in May about a server at Boston Medical Center Emergency Medicine being inappropriately accessed.  Notifications were sent out to those whose SSNs, dates of birth, and of course, medical records, were put at risk; all personal data was removed from the server upon discovery; and, according to the university, they are taking steps to prevent this from happening again, as well as reaching out to the US Department of Health and Human Services Office for Human Research Protections.  Going down along the eastern seaboard, Merit Health Northwest Mississippi reported that an employee, now suspended, had been removing hospital documents containing similar information from February 2013 to June 2015.  The hospital was notified by law enforcement that the suspect was under investigation for identity theft.  Along with terminating the employee, they notified affected patients, with help on accessing free credit monitoring and identity theft resolution services.

Both organizations had plans in place, and effected them when trouble came knocking.

While some would say that breaches like the Anthem hack show that privacy in the healthcare industry doesn’t exist—and that may be true—it’s no excuse for lax policy.  As I said, medical records fetch a high price for hackers, and a recent study by Tara O’Neill of the American Action Forum also highlights the substantial cost EMR adoption has for providers, which was encouraged with financial incentives by the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009.  The full report is available here, but an interesting point addressed is that policymakers and healthcare professionals will need to come together to make legislative change in order for a balance to be reached between sharing information, thus improving interoperability and the productivity rates for EMRs, and ensuring privacy.

As much as can be had these days.

By: Jonathan Weicher