Mitigating EHR Security Risks

Electronic health record (EHR) technology leverages digital progress and is transforming the way care is delivered and compensated. EHR allows patients’ medical information to be available whenever and wherever it is needed.1 According to, benefits of EHR range from improved medical care, care coordination, and patient outcomes to practice efficiencies and cost savings.2

Despite its benefits, recent security breaches of health records have left many feeling exposed. According to HHS Office for Civil Rights (OCR), more than 120 million people have been affected by the Health Information Technology for Economic and Clinical Health (HITECH) Act breaches through March 17th of this year.3 The Anthem breach alone exposed personal information of 80 million current and former members, according to a company statement. In this instance, cyber attackers obtained names, birthdays, medical IDs or social security numbers, street addresses, email addresses, employment information, and income data.

Cyber Attacks Not the Only Risk

There are five security components for risk management, according to the Guide to Privacy and Security of Electronic Health Information authored by The Office of the National Coordinator for Health Information Technology.4 The guide reports that for any single risk, a combination of security mitigation strategies may be necessary because of the number of potential vulnerabilities.

Five Security Components for Risk Management4

Security Component Examples of Vulnerabilities Examples of Security Mitigation Strategies
Administrative Safeguards
  • No security officer is designated.
  • Workforce is not trained or is unaware of privacy and security issues.
  • Periodic security assessment and reassessment are not performed.
  • Security officer is designated and publicized.
  • Workforce training begins at hire and is conducted on a regular and frequent basis.
  • Security risk analysis is performed periodically and when a change occurs in the practice or the technology.
Physical Safeguards
  • Facility has insufficient locks and other barriers to patient data access.
  • Computer equipment is easily accessible by the public.
  • Portable devices are not tracked or not locked up when not in use.
  • Building alarm systems are installed.
  • Offices are locked.
  • Screens are shielded from secondary viewers.
Technical Safeguards
  • Poor controls allow inappropriate access to EHR.
  • Audit logs are not used enough to monitor users and other EHR activities.
  • No measures are in place to keep electronic patient data from improper changes.
  • No contingency plan exists.
  • Electronic exchanges of patient information are not encrypted or otherwise secured.
  • Secure user IDs, passwords, and appropriate role-based access are used.
  • Routine audits of access and changes to EHR are conducted.
  • Anti-hacking and anti-malware software is installed.
  • Contingency plans and data backup plans are in place.
  • Data is encrypted.
Organizational Standards
  • No breach notification and associated policies exist.
  • Business Associate (BA) agreements have not been updated in several years.
  • Regular reviews of agreements are conducted and updates made accordingly.
Policies and Procedures
  • Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed.
  • The manager performs ad hoc security measures.
  • Written policies and procedures are implemented and staff is trained.
  • Security team conducts monthly review of user activities.
  • Routine updates are made to document security measures.

Patients Can Help

Patients can also help to keep their health information safe. The Federal Trade Commission outlined the following safeguards for patients to help protect their medical information:5

  • Be wary if someone offers you “free” health services or products, but requires you to provide your health plan ID number. Medical identity thieves may pretend to work for an insurance company, doctors’ offices, clinic, or pharmacy to try to trick you into revealing sensitive information.
  • Don’t share medical or insurance information by phone or email unless you initiated the contact and know whom you’re dealing with.
  • Keep paper and electronic copies of your medical and health insurance records in a safe place. Shred outdated health insurance forms, prescription and physician statements, and the labels from prescription bottles before you throw them out.
  • Before you provide sensitive personal information to a website that asks for your Social Security number, insurance account numbers, or details about your health, find out why it’s needed, how it will be kept safe, whether it will be shared, and with whom. Read the Privacy Policy on the website.
  • If you decide to share your information online, look for a lock icon on the browser’s status bar or a URL that begins “https:” the “s” is for secure.

As patient enrollments grow, more health information will be gathered. Making sure this data is secure is essential for the healthcare industry and for the patients.

What health information technology (HIT) issues keep you up at night?

Leave a comment below to continue the discussion.