Andrew Boyd, University of Illinois at Chicago

Health Data Security and the Unfortunate Choices Hospitals Must Make

By Andrew D. Boyd, M.D.
Andrew Boyd, University of Illinois at Chicago

Health technology developers need to prioritize security from the moment a device or platform is first incepted.

Protecting patients from harm is not only part of the Hippocratic Oath, but one of the major goals and principals of modern medicine. However, this is becoming nearly impossible to achieve within today’s chaotic healthcare system, largely due to the design, implementation, operation and regulations behind electronic health records.

Across the United States, the public often talks about electronic health records, or EHRs, as if they are one large database that contains all of the information necessary to manage a hospital. The reality is that hospitals can have up to several hundred databases and software systems in place to keep departments and facilities running. For example, X-rays and CT scans are normally located in a separate system from other pertinent records, simply because their file sizes are so large to store.

Learn more about device security at MTI’s upcoming conference,  Medical Device Cybersecurity: Legacy Device Remediation, Compensating Controls & End of Life | September 26–27, 2019 | Cambridge, MA or attend virtuallyThis begs the question of why don’t hospitals invest in multiple IT systems to keep that information both secure and easily-accessible? In healthcare, practitioners and staff have to access certain information quickly and easily, and having to navigate through several IT systems could slow things down. In a single shift, an ER doctor could click through an individual system 4,000 times. For that ER doctor, having to utilize an EHR system built with multiple forms of authentication and technical solutions is not reasonable, and it may reduce the amount of time they can spend treating patients and could result in worse outcomes.

The recent innovation of the integrated IV pump serves as another example of healthcare’s dilemma with time and technology. This IV pump can scan barcodes to learn about a patient’s medical history, medications they are taking and the nurse treating them, all while ensuring the patient is receiving the correct medication and treatment. The settings of the IV pump can be automatically preset, decreasing the likelihood that a nurse or staff person may change it to the wrong setting or provide improper medication. \But, because the IV pump is connected within the hospital’s human resource directory, the pharmacy resource system, and electronic health records, the potential is introduced for hackers to penetrate a hospital’s information system and compromise patient data. New features could be implemented into the IV pump to help maintain security, such as staff having to undergo a more extensive sign-in process. The amount of time spent preparing and using the IV pump would increase, and, in turn, make clinics less willing to adopt this potentially lifesaving technology.

The thought of hackers targeting IV pumps may seem a bit far-fetched, but that’s before one considers just how frequently healthcare organizations and their data are attacked. According to the data collected at Privacy Rights Clearinghouse, 55% of all reported data breaches in 2018 occurred in healthcare-related organizations. Within those 372 reported breaches, 44% were deliberate hacker penetrations, 39% of the breaches were unintended disclosures, and 17% were physical loss (including paper). The fact that loss of paper can be a significant potential breach indicates just how hard it is to secure data, especially when paper records have been the standard at clinics and hospitals for decades. When data breaches do occur, they are not always easy fixes. One of the largest data breaches that directly impacted hospitals took place at the Erie County Medical Center. In this incident, the facility’s EHRs were taken down for six weeks.

For the foreseeable future, all healthcare systems could be the subject of a potential attack. Health technology developers need to prioritize security from the moment a device or platform is first incepted. The belief that a hospital network will be perfectly secure, and that its larger, non-security systems do not need their own protection, is no longer existent.

Additionally, hospitals and clinics need to train and engage their staff about necessary policies and procedures to follow to ensure the security of health data. This is not something that can take place in a single webinar with a revisiting of the topic some years later, but requires a periodic and consistent emphasis of the necessary methods to maintain security.

To stop more attacks and breaches from taking place, hospitals need to prioritize standard operation procedures to monitor updates for patches or potential security threats. Take the data breach at Equifax for example, where the credit monitoring service did not follow through with a critical patch to its software, allowing hackers to infiltrate the system. Monitoring security notices and patching software is not necessarily a “fun” activity, but as health systems become more dependent, it is necessary to decrease potential threats. Plus, hackers and their tools are only going to evolve in sophistication, so even the most state-of-the-art systems will require both active monitoring and awareness.

No hospital or healthcare organization will ever be 100% safe from the threat of data breaches, but there still needs to be a strong financial and personal investment to ensure that patient data is as safe and secure as possible.

About The Author

Andrew Boyd, University of Illinois at Chicago