Be prepared: Consumers are about to find out that EHRs are vulnerable

I hope I'm not the only person who finds the results of the latest poll from Morning Consult disturbing.

The poll, released this week, found that more than three-fourths of the American public expects hospitals to use electronic health records, but "only 53 percent" trust the safety of those records. Thirty-nine percent were "worried" about the records' security.

Are you kidding? More than half of the American public actually thinks that their electronic health records are safe? I can't begin to fathom what these people are basing that on. The poll respondents weren't slouches, either. Fully 92 percent had at least a high school diploma. Twenty-two percent had bachelor's degrees; 12 percent had post-graduate degrees.

Are they being lulled by the assumption that since hospitals take care of patients that they'll also be good about taking care of patient records? Do they not read the news? Is the American public this uninformed?

OK, maybe they don't follow security breaches, like last month's record-breaking $4.8 million HIPAA settlement, the way I do.

But surely they know about the breach at Target, the Heartbleed bug and other incidents reported in the mainstream press. Data insecurity is even the cover story of the latest Consumer Reports Magazine. And hasn't everyone by now received a notification letter from some institution alerting them to a security breach that may have compromised their personal data? I've received several.

Everyone should be "worried" about whether patient data in EHRs--or anywhere--is adequately safeguarded. They should be afraid--very afraid.

Because we know that this data is not safe.  

It's not that hospitals and other healthcare organizations don't want to keep patient data safe. Of course they do. It's just such an arduous task. Even the most diligent provider, health plan or business associate handling patient information is at risk of hackers or malicious malware. And they represent a relatively small percentage of security breaches, many of which are caused by human error, such as losing a laptop, or an insider threat, such as a nosy employee.

And it's only going to get worse for electronic patient records. The healthcare industry lags behind other industries in information security. Healthcare experienced the largest growth in security incidents and had the slowest response to them from April 1, 2013 to March 31, 2014. Health records will continue to be a popular target for the unscrupulous, since medical records--with their treasure trove of information--go for $20 on the black market, while credit card data only garners a dollar.

And the proliferation of aggregate databases and health information exchanges, for all of their benefits, are yet additional places where EHR information will be stored, making the records even more vulnerable.

Even the Department of Health and Human Services' Office for Civil Rights acknowledged that electronic data is the "most vulnerable." The government is well aware. OCR has stepped up enforcement of HIPAA. The Office of Inspector General is now focusing on security controls involving EHRs.

But many consumers are still in the dark. And hell hath no fury like the American public when it finally wakes up to something.

Stakeholders: you may want to step up your game here. It's only a matter of time before the public wises up. And the fallout won't be pretty.  - Marla (@MarlaHirsch and @FierceHealthIT)

Related Articles
Poll: Worry persists over safety of patient info in EHRs
Heartbleed: What is the impact on health IT?
Server mishap results in largest HIPAA fine to date
Health IT security lags behind retail industry  
OCR officials: Electronic data the 'most vulnerable'
Providers, vendors: Ignore OIG work plan at your peril
Internet Explorer flaw latest security worry for health care CIOs