Hacking

December 23, 2014; MIT Technology Review

The implementation of electronic health records (EHR) in hospitals across the U.S. has been accompanied by unauthorized access to patient records. Data security firm Websense reports a 600 percent increase in web-based attacks on hospitals in the past ten months. Websense believes that attacks on hospitals will increase in 2015 as more hospitals use EHR more widely and as more patient information is available online.

NPQ has reported on the funding problems facing nonprofit hospitals. Electronic health record implementation is a key component of the Affordable Care Act because it is believed to be a long-term cost-saving measure for insurers (including government programs like Medicaid and Medicare) that will also allow providers to more closely and completely track patient wellness information. The same features of EHR designed to make online systems easier to use and connect with each other can be taken advantage of by hackers to infiltrate a hospital or clinic’s database and steal patient health, financial, and identification information (such as a Social Security number). Cash-strapped hospitals implementing EHR systems may not have the funds to dedicate to comprehensive security testing, and may implement EHR with a view toward satisfying doctors’ and nurses’ needs and simply accept the potential increased risk of data theft.

The MIT Technology Review article notes that today’s hackers aren’t just interested in getting access to credit card numbers and bank accounts. The unsettling reason is that there are too many credit card numbers for sale already. Combined with other public data and information hacked from other sites, the comprehensive health records let data thieves compile a person’s individual profile, which can be worth hundreds of dollars on its own. Such profiles can be also used to impersonate someone’s identity online in any number of ways.

Security testing will inevitably clash with usability testing as electronic health records systems are implemented. While it’s easy to prefer usability to security, especially when it appears to save time and money, what happens when a hospital’s data breach becomes known to the community? The cost to its reputation and patient affinity may be far greater than the money saved by not adequately securing their online systems.—Michael Wyland