Login Register Subscribe
Current Issue

Keeping health care data safe in a mobile world


Smartphone applications represent the next frontier in the use of electronic health records, but ever-present cyber risks present a significant challenge in a health care industry frequently under attack.

EHRs are digital versions of a patient’s paper chart, making information such as a patient’s medical history, diagnoses, medications and allergies available to health care providers on a real-time basis.

In 2004, President George W. Bush launched a 10-year effort to expand EHR use. Significant progress has been made toward this goal, partly driven by financial incentives offered in the Health Information Technology for Economic and Clinical Health Act passed in 2009, experts say.

In 2015, 96% of nonfederal acute care hospitals had an EHR system certified as meeting requirements issued by the U.S. Department of Health and Human Services, up from 71.9% in 2011, according to the Office of the National Coordinator for Health Information Technology.

However, the privacy and security of these records is a major concern, as the health care sector is frequently under cyber attack.

Mountain View, California-based cyber security firm Symantec Corp.’s April 2016 Internet Security Threat Report found that health care was the most targeted sector in 2015, with 120 reported incidents accounting for almost 39.3% of all reported attacks. The Office of Civil Rights within HHS reported that 113 million medical records were compromised last year.

EHRs are particularly vulnerable because theft of this information is more difficult to detect than normal identity theft, according to a September report published by the Washington-based Institute for Critical Infrastructure Technology. These records are also more valuable than financial data alone because they can be used to bill insurers or the government for fictitious medical care, and the included information is difficult or impossible to change versus easily canceled credit cards.

“Hackers stopped targeting the financial sector because they got their act together,” said James Scott, the institute’s co-founder and senior fellow. “They just go with the treasure troves of valuable information in the health sector — a health sector with virtually zero security, no cyber hygiene. Until this sector beefs up security on all levels, they’re going to continue to be a target.”

The HITECH Act implemented a new penalty structure for Health Insurance Portability and Accountability Act violations and added privacy and security elements such as breach notification requirements.

“Under the HITECH Act, (there) is now a financial burden for a health system for a data breach,” Aneesh Chopra, president of Arlington, Virginia-based NavHealth and former U.S. chief technology officer, said on Sept. 30 at an Information Technology and Innovation Foundation event in Washington.

“They have to report, and they’re on the hook. That’s more teeth than on the retail sector, so it should have led to more investments in cyber security. Still we had breaches on basic things such as password management,” Mr. Chopra said.

There are additional consequences if patients are encouraged to download apps featuring their health information, said Robert Gellman, a privacy and information policy consultant in Washington. HIPAA requires health care providers and insurers to protect patient records, but if the information is given to and used by noncovered entities, including patients themselves, there is no legal protection, he said. Patients downloading other apps can inadvertently give them permission to access the health information on their smartphones.

“Patients aren’t capable of providing their own privacy policies,” Mr. Gellman said. “They need a legal structure for that. Part of the health care environment that isn’t protected by HIPAA needs protection if you’re going to do this.”

Further complicating the matter is the difficulty in knowing what these apps are doing “behind the scenes” and whether they are lying in wait to access data, said Rod Piechowski, senior director of health information systems at the Chicago-based Healthcare Information and Management Systems Society.