Cybersecurity Is a Major Risk During the Transition to EHRs

Technology, specifically the electronic medical record, is becoming more prevalent in the healthcare industry; however, there are significant cybersecurity risks due to the major information shift.

A paper published in JAMA discussed the risks involved in the transition from paper medical records to electronic, and the prevention methods that are needed to avoid the consequences of potential viruses and hackers.

Congress had established the Health Care Industry Cybersecurity Task Force (HCIC) in 2015 to protect from 2 malware viruses—WannaCry and Petya. The HCIC was made up of 21 members including representatives in the federal government, patient advocates, and information technology (IT) specialists. In its report, Report on Improving Cybersecurity in the Health Care Industry, the HCIC suggested 6 critical recommendations for the healthcare industry, including:

1. Identify and streamline leadership, governance, and expectations for healthcare cybersecurity.
2. Increase the security of medical devices and health IT.
3. Create the healthcare workforce capacity needed to prioritize and guarantee cybersecurity awareness and technical capabilities.
4. Increase the industry’s readiness by improved cybersecurity awareness and education.
5. Identify mechanisms to protect the research, development efforts, and intellectual property from attacks.
6. Improve the information sharing of threats, weaknesses, and mitigations in the industry.

The development of electronic health records has produced a new risk for patients that potentially have more severe consequences. For example, ransomware—a software that permanently blocks access to records unless a ransom is paid—has the potential to isolate large data files that can limit patient care for extended periods.

“This stolen information not only can be sold for financial gain, but also can be used by other individuals to receive medical care, providing an opportunity for intermingling of medical information that can alter an allergy history, medication list, or other critical elements of a patient’s history,” the authors wrote. “This vulnerability can undermine public trust and prompt patients to withhold sensitive but needed information about medical history.”

Not all small hospitals and practices have access or the resources to protect against certain cybersecurity risks, and therefore should practice cyber hygiene, according to the authors. This can be accomplished by regularly changing passwords, ensuring their passwords are strong, and being aware of certain vulnerabilities, including non-updated software.

Despite the benefits of improved access that electronic health records and technology advancements provide, the healthcare industry should make an effort to prevent negative consequences that come with these new technologies through promoting awareness.