EHRs a major cause of patient info breaches

The "aggressive" adoption of electronic health records is one of the biggest reasons for the rise in security breaches of patient records, according to HIMSS' latest analytics report on the security of patient data.

The report, commissioned by Kroll Advisory Solutions, noted that with the move to patient records in electronic form, the data is more vulnerable since it's more accessible and mobile. Of the respondent hospitals that have reported a security breach of patient information, 22 percent reported that the data compromised had been in electronic form--such as a computer or mobile device--double the amount reported in 2010. Most of the breaches involved theft or loss.

The report also noted that EHR use makes the data more vulnerable because more of the data is going offsite. "Particularly with the rise of EHRs, more healthcare providers are entrusting their patient data to third parties, meaning that the scope of patient data security extends far beyond the walls of their own hospital," the report noted. 

This creates problems, according to the report, because while most of the hospitals require their third-party vendors to sign business associate contracts agreeing to protect the patient data, they don't hold the vendors to best practice security standards; just over half (56 percent) ensure that their vendors conduct a risk analysis to determine if security vulnerabilities exist.

Unlike paper records, electronic records are subject not only to breaches caused by employees, but also by outside cybercriminals. The recent breach of Medicaid patients in Utah that has affected roughly 800,000 patients was caused by hackers located in Eastern Europe, according to the Salt Lake Tribune.

While the breach didn't necessarily involve EHRs in a traditional sense, the report makes it clear that with the introduction of new technologies comes added responsibility.

"Knowing that the continued implementation of EHRs and introduction of new technologies in the workplace will only complicate the security landscape, the sense of urgency is clear," the authors concluded.

Officials in New York, meanwhile, are attempting to be proactive with regard to protecting such information. Last week, state health officials announced the creation of a statewide health information network policy committee, established primarily to boost protection of personal health information.

To learn more:
- download the report (registration required)
- read this Salt Lake Tribune article
- check out this InfoSecurity Magazine piece