How Safe Are Electronic Health Records?

A recent ransomware attack on a Los Angeles hospital resulted in $17,000 worth of bitcoins being paid as a ransom payment after hackers infiltrated and disabled the hospital computer network. Although no patient records were compromised in this case, this example points to a much larger issue about general safety of patient records in electronic medical records (EMRs) and IT safety concerns. 

The incident “is evidence of a risk that is significant to all companies, but is not well-enough appreciated,” said Linda D Kornfeld, a partner at Kasowitz Benson Torres & Friedman L.L.P. in Los Angeles.

The attack on the Los Angeles hospital may be part of a growing trend. Late last week, the Florida-based cancer clinic chain, 21st Century Oncology Holdings, warned 2.2 million patients and employees that their data may have been stolen in a cyberattack.

In an investigative study examining electronic health records (EHR) and patient safety by the Department of Veterans Affairs (VA), significant safety concerns were brought to light, which researchers divided into 4 types—concerns related to unmet data display needs, concerns related to software modifications, concerns related to system-to-system interfaces, and concerns of hidden dependencies.

"Having a mature EHR system clearly does not eliminate EHR-related safety concerns," the researchers noted in the study.

When a hacker commits a ransomware cybercrime, he or she installs a virus to encrypt the data in the electronic medical record, locking out clinicians until a ransom is paid. Some experts expect ransomware attacks to increase in 2016, while others believe that they will start to target medical devices by turning off a medical device, such as an infusion pump or heart monitor, unless the clinician pays a ransom.

To combat this problem, health care organizations should conduct risk analyses of electronic data to locate vulnerable areas within the network, and protect medical and mobile devices, which are the source of most HIPAA enforcement actions by the Department of Health and Human Services.—Amanda Harvey

References

1. Hospital pays nearly $17G in bitcoins to hackers who disabled computer network. Fox News. February 18, 2016.
2. Greenwald J. Ransomware attacks emerge from the shadows. Business Insurance. February 23, 2016.
3. EHR and Patient Safety: A Real Danger, Even for Experienced Users. PT In Motion. Accessed March 6, 2016.
4. Hirsch MD. It's time for the healthcare industry to fight back against ransomware attacks. Fierce EMR Newsletter. January 27, 2016.
5. Hall SD. Report: Ransomware attacks on med devices a real possibility in 2016. FierceHealthIT newsletter. Accessed March 6, 2016.