Stakeholders must double up on EHR security

It's somewhat self-serving that the U.S. Department of Health & Human Services published a notice in the Federal Register this week about its upcoming survey of the 115 covered entities that were audited for HIPAA compliance in 2012 pursuant to the Office for Civil Rights' (OCR) pilot audit program. It sounds all touchy-feely: HHS wants feedback about the program's features, the estimated costs of the audit, the effect on day-to-day operations, and the like.

But the kicker is the last survey question, which asks the entities to "assess whether improvements in HIPAA compliance were achieved as a result of the audit program."

Does HHS really expect any of these entities to say that they didn't improve their HIPAA compliance as a result of the HIPAA audit? These entities unlucky enough to have been subjects of the audit have had all of their HIPAA privacy and security violations exposed to the government. They are low-hanging fruit should OCR opt to impose penalties, since the investigations have been completed. The best strategy they can take is to say that they've learned their lesson and now effectively are protecting their patients' data.

OCR already has stated that the audits revealed numerous security breaches, regardless of the size or type of covered entity. In fact, OCR had to cap the number of audits in the 2012 pilot at 115, even though the agency was authorized to conduct up to 150, because the violations found were so extensive.

Unfortunately, EHRs are particularly vulnerable to security breaches, a fact that is not lost on the government, which itself reported last month that it could hack into hospital EHRs simply by sitting in the parking lot using a laptop. Only 25 percent of the breaches reported to HHS have involved paper records, according to OCR head Leon Rodriguez.

And providers continue to be lax about securing their patients' electronic records, according to attorney Robert Hudock of Epstein Becker Green in Washington, D.C. Hudock, a certified "ethical hacker" as designated by the International Council of e-Commerce Consultants, told FierceEMR in an exclusive interview that vulnerabilities are not always apparent.

For instance, he said, providers can inadvertently create a security hole in their network perimeter when they scan medical records into their EHRs, since the scanned paper is usually not encrypted. "Scanned paper is readily accessible and easily understood, unlike EHRs themselves," Hudock said, making the data easy fodder for identity theft by cyber criminals.

Hospitals also make their EHRs vulnerable when they use patient-friendly kiosks. The kiosk often is on the same network as the EHR, but doesn't have the same firewalls, antivirus programs and other security protections. So if a user infects the kiosk with a virus, the virus will infect everything on the network.

"One exploit can attack millions," Hudock said.

And according to Hudock, there's a lot of money to be made by these cybercriminals, who increasingly are professional criminals. "Hackers are not kids anymore," Hudock said. "They're nation states."

Cybersecurity has been receiving a lot of media attention. President Obama even mentioned it in his State of the Union address. But stakeholders in the healthcare industry can't depend on the government to protect their EHRs.

This is a private effort. Even if you think your organization, facility or office is adequately protecting patient data, double check. I'm sure in hindsight, those audited entities wish they had done so. - Marla (@MarlaHirsch)