Cybersecurity—Protecting Your Electronic Health Records

By Jeremy A. Wale, JD, ProAssurance Risk Resource Advisor

With the increased use of technology comes increased risk of cyberattacks. Anything transmitted or stored electronically is at risk of being stolen by a hacker.

Many people don’t believe—or understand why—medical information is valuable or at risk. According to a compilation of data breach statistics, there were 783 security breaches in the United States in 2014. Of those, 42.5% were breaches of medical or healthcare information. This equated to over eight million individual records being accessed or stolen by cyberattacks.[1]

Large healthcare systems, hospital networks, and individual healthcare providers have all been attacked, but the size of the entity is no clear indication of the size of the breach. For example, one Blue Cross Blue Shield attack yielded only 300 records, while a large system in Tennessee yielded approximately 4.5 million records. Several individual physician practices were breached as well, yielding as many as 7,500 records from one practice.[2]

Why are medical records targeted?

Medical records seem to be targeted because they contain all of an individual’s personal information: finances, social security numbers, health information, and family information. This gives thieves more potential uses for the stolen information, including applying for credit cards, store accounts, or other lines of credit. They also can use the information to steal healthcare services. These are just a few reasons why a medical record can fetch up to $50 on the black market, while a credit card number may only earn $5.[3]

Another example of how valuable a medical record may be: a security firm CEO shared an example of a black market advertisement to sell ten Medicare numbers. “It costs 22 bitcoin—about $4,700 according to today’s exchange rate.”[4]

The transition to electronic health records has given criminal hackers more opportunities to steal medical records. The chief information officer for a hospital system in Salt Lake City states his hospital system “fends off thousands of attempts to penetrate its network each week.”[5]

Another reason is ease of access. Some hospitals and healthcare providers are using systems that have not been updated in more than ten years.[6] While hospital systems and healthcare providers rush to prepare for ICD-10 implementation and meaningful use, cybersecurity seems to be falling through the cracks. Many healthcare systems “do not encrypt data within their own networks.”[7] Once a hacker penetrates whatever security the system does have, the unencrypted information is there for the taking.

Criminals also use stolen medical records to fraudulently bill healthcare insurance providers and Medicare/Medicaid. The victims may not discover the theft for several months—or even years. In some instances, victims have received debt collection requests for medical services they never received. 

What can you do to safeguard electronic medical records?

When implementing or updating an EHR system, talk to your vendor about cybersecurity. Ask whether the stored information is encrypted. It also is a good idea to determine if or when the vendor will provide security updates for your EHR software.

Organizations may need to “invest more money and employee talent in shoring up the walls 

 around their electronic data.”[8] Cybersecurity is a highly specialized area that requires a certain expertise. Your EHR vendor may be able to provide some assistance in this area, but remember their expertise is creation and functionality. Hiring in-house cybersecurity experts or contracting with a cybersecurity firm specializing in this area may be the best options to protect your organization and your patients.

Several organizations, such as the Department of Homeland Security, the American Hospital Association, the Centers for Medicare & Medicaid Services, and the National Institute of Standards and Technology, offer guidance and resources on cybersecurity. Their web addresses are included in the endnotes of this article.[9] These are just a few of the vast number of resources available to organizations regarding cyber-security.

[1] Identity theft resource center breach report hits record high in 2014. Identity theft resource center Web site. http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf. December 31, 2014. Accessed May 8, 2015.

[2] Identity theft resource center breach report hits record high in 2014. Identity theft resource center Web site. http://www.idtheftcenter.org/images/breach/DataBreachReports_2014.pdf. December 31, 2014. Accessed May 8, 2015.

[3] Murphy T, Bailey B. Hackers mine for gold in medical records. The Boston Globe. February 6, 2015. Accessed April 28, 2015.

[4] Shahani A. The black market for stolen health care data. NPR website. http://www.npr.org/blogs/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data. February 13, 2015. Accessed April 28, 2015.

[5] Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. Reuters website. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed April 28, 2015.

[6] Humer C, Finkle J. Your medical record is worth more to hackers than your credit card. Reuters website. http://www.reuters.com/article/2014/09/24/us-cybersecurity-hospitals-idUSKCN0HJ21I20140924. September 24, 2014. Accessed April 28, 2015.

[7] Shahani A. The black market for stolen health care data. NPR website. http://www.npr.org/blogs/alltechconsidered/2015/02/13/385901377/the-black-market-for-stolen-health-care-data. February 13, 2015. Accessed April 28, 2015.

[8] Radcliffe S. Patients beware: hackers are targeting your medical information. Healthline News website. http://www.healthline.com/health-news/hackers-are-targeting-your-medical-information-010715#1. January 7, 2015. Accessed April 28, 2015.

[9] http://www.dhs.gov/topic/cybersecurity, http://www.aha.org/advocacy-issues/cybersecurity.shtml, http://www.nist.gov/cyberframework/index.cfm, http://www.cms.gov.