The Electronic Health Record (EHR) is permeating the healthcare industry. Easily accessible “minute clinics” and mobile apps providing diagnostic services are all fortuitous results of the increasing digitization of our medical history. While there are many clear benefits to having an EHR—providing accurate and better healthcare, better clinical decision making, and lower healthcare costs—there are numerous privacy risks associated with EHR utilization.
The EHR was a little-known concept when President George W. Bush broached the idea of computerizing health records in his 2004 State of the Union Address. Since then, the healthcare industry has seen a national push to become 100% EHR-dependent; a mission bolstered by President Obama promoting the use of EHRs in both the American Recovery and Reinvestment Act as part of the Health Information Technology for Economic and Clinical Health Act (HITECH) of 2009 and the Affordable Care Act (ACA) of 2010.
Private industries and the general public are increasingly buying into the idea of EHRs as well; according to the Agency for Healthcare Research and Quality, there has been an upward trend in the percentage of patients who find the implementation of EHRs important. There has also been a year-over-year increase in the percentage of healthcare providers who have adopted EHRs, reaching 67% in 2017.
However, this progress toward 100% EHR utilization has also caused increased privacy concerns as EHRs contain a patient’s most sensitive data. These medical records are valuable on the black market as they include a wide range of personal information such as medical history, social security numbers, and insurance details. The permanency of this information provides criminals enough data to completely steal an individual’s identity as well as the ability to commit a wide array of other crimes.
In the summer of 2016, a rogue online actor known as “thedarkoverlord,” stole 655,000 health records from three healthcare providers in the United States. The hacker quickly put the stolen records up for sale on the dark web for an asking price of $700,000. The anonymous hacker told Vice’s Motherboard publication that “[t]he data could be used for anything from getting lines of credit to opening bank accounts to carrying out loan fraud and much more.” This data breach represented a mere 2.4% of all stolen electronic health records in 2016.
More often than not, the burden to resolve the theft of medical records—such as in the case of “thedarkoverlord”—rests with the patient. According to Ponenom Institute’s Fifth Annual Study on Medical Identity Theft, “[s]ixty-five percent of medical identity theft victims […] had to pay an average of $13,500 to resolve the crime.” The heavy financial burden and continued attacks directly affect the public’s concern for its privacy. In 2015, 68% of patients were not confident that their healthcare providers could protect their medical records from loss or theft.
To prevent and combat security concerns, lawmakers have enacted regulations “to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care.” These competing interests have become more difficult to balance with the increasing reliance on EHRs and thus the increasing opportunity to steal data.
The Health Insurance Portability and Accountability Act (HIPAA) has been the cornerstone legislation on health-data privacy and holds organizations responsible for breaches of data it protects, yet major data breaches still occur through company oversight. In an attempt to incentivize private entities to keep cybersecurity frameworks up to date, Ohio recently passed a law that creates a safe harbor against tort claims for companies who are victims of a data breach. In order to take advantage of this law, companies must comply with the strict state-mandated security framework criteria. Ohio’s innovative approach to cybersecurity enforcement aims to encourage all businesses to implement cybersecurity programs tailored to protect sensitive information while still allowing for technologies to improve.
When President Bush called for implementing EHRs in 2004, he—nor anyone—could have predicted the scale of the current data breaches. A healthcare system reliant upon EHRs is new territory for the health industry and will continue to draw in those who wish to steal its data. However, with continued reliance upon the protections of our regulations such as HIPPA and innovative methods to incentivize a high level of cybersecurity in the private sector, we can feel secure in our progress towards the future that EHRs can provide.