Electronic health records and EHR systems are a point of vulnerability for any provider or practice that uses them. According to CBS News, at least five U.S. hospitals fell victim to ransomware attacks across the span of just one week in October 2020. Cyberattacks against healthcare providers affect not only operations but also patients' private information — both health-related and financial.
Practices that have not yet implemented an EHR, are looking to upgrade or still have questions about potential holes in their security may be uncertain where to find the information they need. This FAQ summarizes seven of our best resources for understanding healthcare security, including how EHR systems fit into this puzzle.
- How do I safeguard my practice against ransomware attacks? Healthcare is the most targeted sector for these attacks. But keeping a private practice safe does not have to be complicated if you follow a few simple rules, such as training your employees in online security and keeping computer systems up to date.
- I have a small practice. How do I know which healthcare cybersecurity guidelines to follow? While government regulations can seem onerous, the federal government has been thoughtful in providing guidance to assist providers with healthcare cybersecurity. In fact, a 2015 guide includes voluntary measures specific to small practices that will help ensure data stays safe.
- Am I really at risk for a cyberattack? Why is protecting patient information from hackers such a hot-button issue? Sensitive patient data can be used for many things, including blackmail and identity theft. Hackers know that healthcare organizations create inadvertent gaps in their infrastructure when they mix and match EHRs with other networked systems that are not well integrated, or systems that do not "speak" to each other. Being aware of where technological weak points can occur is the first step in understanding the need for security.
- How does a practice identify its vulnerabilities to privacy breaches? Vulnerabilities to cyberattacks and privacy breaches are pretty standard for healthcare providers across the board: data, equipment and staff. When it comes to protecting a practice from these risks, medical records management is just as important as training staff on how to recognize malicious email links and knowing what equipment is connected to the office network.
- Can patient EHR data be shared securely between providers? An EHR presents an obvious point of vulnerability for any healthcare provider. However, the benefits of EHR use include improvements in patient care, efficiency, reduced costs of care and the ability to retrieve records from other providers. Even as clinicians increasingly share data to improve patient care, patient data can be withheld for certain reasons — including security.
- How does a growing practice archive its medical records? Retention of medical records is a tricky issue for many practices. Depending on the state in which a practice is located, it may be required to maintain records indefinitely. Most states do not exceed the Centers for Medicare and Medicaid Services' (CMS) 10-year rule, but a full 10 years of even one record can be sizeable. Many practices choose to implement a combination of medical record storage options to maximize their healthcare security.
- How does a practice decide which EHR best fits its needs and reduces security vulnerabilities? Any practice exploring options for EHR implementation or upgrade must consider four specific areas of security: devices, networks, data and practices. A vendor can help a practice determine its needs in an EHR and even introduce providers to newer technologies that drive efficiency and facilitate patient communication.
At their most basic, EHR systems hold medical records. Unlike paper charts, however, they are designed to extend past this basic purpose. By serving multiple roles within a practice, a robust EHR system aids in efficiency, billing, compliance and privacy. Practices in the process of upgrading or implementing new EHRs are tasked with going beyond systems that simply fit the work they are doing to find a system that brings new efficiencies and stays reliably secure.
