The rise of electronic health records is a double-edged sword for businesses and the health care industry. Although they make recordkeeping much simpler and reduce the risk of errors, they also are an inviting target for cyber thieves.
"The health care industry is arguably the most heavily regulated in the area of privacy and data security," said Al Saikali, a partner and co-chair of Shook Hardy & Bacon's Data Security and Data Privacy Practice Group, based in Miami.
Even so, the high rate of exposure is due in large part to the proliferation of electronic health records and the need to exchange and make those records available quickly from one provider to another, and between providers and their vendors. "With so many hands on a medical record and the copies of the medical record, there are plenty of opportunities for unauthorized access or acquisition of those records," he said.
Recommended For You
Statistics back up Saikali's observations:
- More than 1,000 large health data breaches by health care providers and affiliated vendors involving 500 or more individuals have been reported to the government since 2009.
- Medical records exposed in those breaches have affected nearly 31.7 million Americans — roughly 10 percent of the population, according to the Department of Health and Human Services.
- In addition to large reported breaches, approximately 116,000 reported breaches involving the records of fewer than 500 individuals were reported through March 2013, according to the most recent data available.
These breaches occur even though most companies are going the extra mile to comply with Health Insurance Portability and Accountability Act (HIPAA) security rules.
"While most health care providers know to pay close attention to the HIPAA rules when setting up their information technology systems, recent events have demonstrated that this close scrutiny should also be applied to computer reconfigurations and other IT system changes," said attorney Rose Willis of Dickinson Wright PLLC in Detroit.
Under this rule, most health care providers are required to conduct a risk analysis of their IT equipment and implement HIPAA security policies and procedures to reduce their risk of a potential HIPAA violation.
"Whenever a change is made to a health-care provider's IT systems, a new risk analysis should be conducted to identify any potential risk of improper disclosure of [data] as a result of the change," she said. "Any such risk must be eliminated or sufficiently reduced prior to implementing the change to avoid a violation of HIPAA and the costly penalties that go along with it."
Robert Wah, president of the American Medical Association Board, told Politico that things could get worse before they get better.
"What I think it's going to lead to, if it hasn't already, is an arms race between the criminal element and the people trying to protect health data," he said. "They're seeking health records because they can do huge financial, fraudulent damage, more so than they can with a credit card number or Social Security number."
The FBI recommends the following steps to reduce the risk of security breaches
- Continuously evaluate potential new security risks associated with technology upgrades or changes.
- Be cognizant of risks such as photocopier hard drives.
- Encrypt sensitive information where feasible, and to the extent it isn't feasible, build in other technical safeguards to protect the information.
- Require and audit annual training.
Also read:
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.