How Safe Are Your Electronic Medical Records?
Are electronic records really safer than paper records?
Electronic Medical Records (EMR), also known as Electronic Health Records (EHR), have become a popular replacement for paper records for a number of reasons, including saving time, reducing costs and improving the quality of medical care.
But like anything online, there are certain safety precautions that must be made to ensure that all electronic records are kept safe from prying eyes.
Even though paper files are just as prone to theft and loss as digital files, because the technology supporting EMRs is so new, many healthcare professionals question whether or not the benefits outweigh the concerns.
The good news is that yes, EMRs are safe if you take proper precautions, but just like paper records, they’re not totally impervious to threats. Here are a few things healthcare professionals should know about keeping patient EMRs safe from harm.
Hacking Threats to Electronic Medical Records
When most people think of “hacking” or the theft of online information, they assume that digital thieves would only really target banks or retailers to obtain credit card information. But 1 in 4 attacks are actually on healthcare institutions.
The biggest reason that medical clinics and hospitals are hacked is for non-financial information. Healthcare records contain Social Security numbers, home addresses and patient health histories, data that can be used (or sold) in order to steal identities and perform insurance fraud.
According to industry consultancy Accenture, cyber attacks on EMRs cost hospitals billions each year, with 1 in 13 patients having their data compromised by a hack.
But this doesn’t mean that EMRs are inherently unsafe. EMR systems use data encryption to protect medical records the same way banks do to protect sensitive financial and personal data.
While you do hear of banks being targeted for attack, the keyword is targeted. Unless a hacker is specifically targeting your clinic or hospital, standard encryption is usually enough to keep out unwanted individuals. Most systems also have additional firewalls that protect against unauthorized access.
In general, when EMRs are simply being stored or transferred, encryption and firewalls keep them safe from all but the most ardent attackers (and even then, most companies that manage EMRs on behalf of clinics have safety experts that can mitigate damage quickly).
But if encryption works, why do 1 in 13 patients have their data compromised? The biggest flaw in the system isn’t electronic at all, but rather human.
The Human Factor of Record Safety
Any person involved in the use or delivery of a patient’s care has access to EMRs. This includes nurses, billing and claims officers, clinic and office staff members, network administrators and even the patients themselves.
While HIPAA grants patients key privacy rights when it comes to EMR safety, patients can access their medical records by simply requesting a copy of their file. EMRs stored on personal or home computers may not have the same protections that they would have in the clinic or hospital database.
Many patients store their own records online using a Personal Health Record (PHR), which is an online record (secured with a personal password) with your health information that helps you organize and manage your personal records. Weak user passwords can leave those records vulnerable to attack. HIPAA security standards don’t apply to PHRs, making them much less secure.
There are also exemptions to HIPAA’s privacy rules that may affect the safety of EMRs. Life insurers, employers and some school districts can access medical records without the patient’s knowledge.
Patients that access their records using unsecure devices, or store them with weak passwords, or allow access to third parties unknowingly (or knowingly) can create gaps in security that leave them vulnerable to theft.
Tips for Keeping Records Safe
So how do you ensure that EMRs are kept safe, whether at your clinic or hospital or when patients or third parties request access? Here are a few tips to ensure that private medical information is protected.
Educate patients on EMR safety. You have the least control over what a patient does with their medical records, so the more you can do to educate them about the dangers of their information falling into the wrong hands, the better. Creating pamphlets or having office staff address concerns with patients can help minimize risks.
Keep backup files offline. One of the ways hackers beat the encryption process is through the use of malicious software known as ransomware. Healthcare providers, insurers or affiliated vendors should keep current backups offline in case of a ransomware attack. This way if the system is compromised, the data can be easily secured and restored without the loss of personal information.
Include photos with EMRs to avoid fraud. Because information is often stolen for the purposes of medical insurance fraud, chances are that at some point, someone may use stolen information to receive medical care from your practice. You can minimize this risk by including patient photos with your EMRs that clinic staffs can double check against the insurance holder.
Reduce access to files in the office. Use a privacy screen for computers that patients or third parties may have access to and make sure that only office staff can see or access electronic patient files while in the office. This will limit the risk that someone will see something they shouldn’t by looking over a nurse or doctor’s shoulder.
Create strong passwords. Make sure your passwords are strong and that they are never shared with anyone that shouldn’t have access. If staff members are fired or let go, or other changes to staff are made, change the passwords as soon as possible. Remember to educate staff and patients on the importance of creating strong passwords to protect their medical information.
Always sign off when finished. Nurses, doctors and office staff should always sign off from the system when EMRs are no longer needed, and no record should be left opened on the computer when staff is out of the office or away from that computer.
By following a few of these strategies, you can reduce the chances of information being accidentally accessed by unauthorized individuals.
Keep your EMR safe with our safety checklist for providers.
Final Thoughts
Generally speaking, EMRs are just as safe, if not safer, than paper forms, and they offer many benefits that make them ideal for use in busy medical offices and hospitals. But that doesn’t mean they can’t be compromised.
There are instances where medical records can be hacked, though by and large, hacking is much less common than other risk factors. The biggest threat to the safety of your EMRs is actually human error: patients that store personal files on their computers while using weak passwords, or third party vendors accessing patient files in an unsecure manner.
To minimize these risks, it’s important for healthcare offices or hospitals to take precautions both in the office and out. Creating strong passwords, signing off at the end of a shift, including photos, backing up records offline, and educating patients on the importance of EMR safety can go a long way to keeping those records as safe as possible.