Michael Chiang, MD, past chair of the American Academy of Ophthalmology’s Medical Information Technology Committee, says EHR adoption is increasing dramatically. “We surveyed the AAO membership in 2008, and about 12 percent of ophthalmologists were using EHRs,” he says. “In 2012, we repeated that survey, and the adoption rate went up to 34 percent. Now in 2015, my guess is that it’s at least 50 percent to 60 percent. The point is that, in a relatively short amount of time, there has been a dramatic shift in terms of how doctors are handling their records. EHRs make medical data far more accessible than ever before, but one downside is that there are more potential risks from security breaches. Stores like Target have had tens of millions of customers’ credit card data compromised, which was done using nothing more sophisticated than off-the-shelf malware.” Dr. Chiang is currently a professor of ophthalmology and medical informatics at the Casey Eye Institute at Oregon Health & Science University.
He notes that ophthalmologists really need to take this risk seriously because security is a shared responsibility. “Most of us use information systems that are sold to us by vendors, and it is ultimately our responsibility to make sure vendors are managing these risks appropriately and that we and our staff are using these systems properly,” he says.
Mary Ann Fitzhugh, vice president of marketing at Compulink Business Systems, agrees. “This is a really important issue for private practices, and our experience is that they aren’t nearly as vigilant as they need to be or are not taking the steps they need to protect themselves,” she says. “Now that patient data are online, the genie is out of the bottle, and providers need to be aware of who is accessing patient information and what they’re doing when they access it. They also need to ensure that those who don’t have authorized access don’t get access. And, this security mindfulness needs to occur at several levels, including not only the strong built-in features we provide in the software but also the devices (phone, tablets, wireless access, office PCs) that staff members are using to access the EHR. Their EHR vendor can assist with some of these issues, but doctors need to stay on top of other issues, such as the security of the PC or device they are using to access their EHR software.”
On January 29, Anthem, the nation’s second-largest health insurance company, detected the breach of a database containing records for 80 million customers and employees. On February 4, Anthem began notifying affected individuals. Anthem was then named as a defendant in six separate class action lawsuits filed in federal courts in Alabama, California, Georgia and Indiana.
According to Anthem, “Cyber attackers executed a very sophisticated attack to gain unauthorized access to one of our parent company’s IT systems and have obtained personal information relating to consumers and Anthem Blue Cross and Blue Shield employees who are currently covered, or who have received coverage in the past. The information accessed includes names, birthdays, social security numbers, street addresses, email addresses and employment information, including income data. No credit card information was compromised, nor is there evidence at this time that medical information such as claims, test results or diagnostic codes were targeted or obtained. As soon as we learned about the attack, we immediately made every effort to close the security vulnerability, contacted the FBI and began fully cooperating with their investigation. Our parent company has also retained Mandiant, one of the world’s leading cybersecurity firms, to evaluate our systems and identify solutions based on the evolving landscape.”
For those whose information was accessed, Anthem provided credit monitoring and identity protection services free of charge.
What Can Vendors Do?
EHR vendors are taking steps to help protect their clients. According to Ms. Fitzhugh, features within the software can secure patient data and protect against threat. Compulink’s system includes the following:
• Multiple levels of access controls to specify access rights to patient data.
• Automatic audit logging, which tracks, records, and reports on activities, such as which users have accessed a patient record and what changes they made to that record. “Our audit logs also monitor when protected health information is exported out of our software, such as through printing, or imported into our software,” she says.
• Support data encryption and authentication protocols to ensure the highest levels of data integrity are maintained and to control access to electronic protected health information.
• Automatic log-off, where the software will “time out” user access to patient records after a pre-determined time of inactivity.
• Support for “hashing,” where upon receipt of electronically exchanged information by the software from another source, we verify that information has not been altered, she says.
“We also have taken steps to help our clients secure physical access to their EHR systems. We offer Advantage Cloud, a state-of-the-art hosted solution. This solution allows the client full access to the software, while we maintain the network, software and hardware in our secure and HIPAA-compliant data center. All connections to our Cloud solution are encrypted.”
If clients wish to install the software on their own servers at the practice, Compulink’s IT support group advises them on the security measures they need to take, including installing antivirus software and making full use of the security features of the operating system. “We also routinely send security bulletins to our clients of industry-wide security attacks like the infamous CryptoLocker Virus,” says Ms. Fitzhugh.
CryptoLocker is a virus that only affects Windows PCs, and it holds the files on your computer hostage. You are required to pay a fee or lose everything on your hard drive. The virus arrives in the form of an email from a logistics company, like FedEx or UPS, and users are tricked into opening it. It causes your computer files to be inaccessible. If your files are not backed up, your only option is to pay the “ransom” within 100 hours. If you don’t pay, then you lose all of your files. Ransom amounts typically range from $100 to $700.
What Can You Do?
According to Jim Messier, vice president of sales and marketing, Medflow Inc., the safety of the data depends on the type of security that you have in place. If you have a client server product that sits in your office, someone can come in and pick up the box and walk away with it. “If you have this type of product, you should have encryption, so that if someone were to take the server, he wouldn’t be able to get anything important from it,” he says. “On the cloud version of the product, there are multiple layers of protection for information. First and foremost, you need an electronic certificate from any device that would access the cloud. So, one limitation is that you wouldn’t be able to access your records from the admiral’s club at the airport using their internet computers. The device itself has to be authenticated to the application on the cloud. Of course, you have the user credentials as the second layer of protection.”
Additionally, data that resides in the cloud is also encrypted so that if someone breaches the protection that is in place and obtains information, it would not be recognizable or downloadable in human-readable format. “It is important to make sure that the vendor has some type of encryption program in place,” says Mr. Messier. “If it is a cloud product, it should be with a tier-4 type of hosting company, and the hosting companies themselves are held to a high degree of scrutiny with regard to what they employ for protection within their data center itself. Even with encryption programs, the federal government has been breached.”
Unfortunately, nothing is 100 percent safe. “There are a lot of clever, malicious people out there,” says Mr. Messier. “You can track who has accessed your data through an audit log. Any good software will have an audit log, which will tell you every access point to the server and to patients’ charts. It will tell you the date, time, what was accessed and who accessed it. If someone tried to access something that he didn’t have roles and permissions for, then that would typically be noted in an audit log, and the manager of the system would be able to see that and either identify that as an internal member of the organization or someone from the outside.”
Whether the manager is someone inside the office or from a third party typically depends on the size of the practice. If the practice has its own IT staff, then this is something that the IT staff would be tending to on a regular basis. “If you are working with a vendor, that might be provided as part of your software maintenance support,” says Mr. Messier. “If I’m responsible for hosting that information, then that’s part of my software license agreement that I’m providing you with that kind of security. If it’s a client server product within your walls, then it would be up to the practice to look at the audit log regularly or have a third-party IT company looking at it. Cloud-based systems have more layers of protection than in-office systems.”
The Wilmer Eye Institute in Baltimore has begun using two-factor authentication to authenticate users of the systems, so users must have their user name, password and something else. Michael V. Boland, MD, PhD, associate professor of ophthalmology and director of Wilmer’s information technology, explains: “For example, they will send you a code on your cell phone to increase the likelihood that users are who they claim. For smaller practices, it is challenging because you are expected to do all of the same things with a smaller budget and a smaller staff. Trying to go it alone in terms of security becomes risky for those small practices because you are not necessarily going to have the best quality security staff. That’s why outsourcing your data storage to someone else may be a reasonable thing to do.
“It is increasingly complicated to handle security on your own, so the key message is that you need to get expert help,” he says. “You can’t really do it on your own anymore. You can outsource it to a contractor who will help secure servers that are located at your practice or you can outsource all of your data storage and server needs. It has become sufficiently complicated that it is not a good idea for a small practice to try to do this on its own.”
Dr. Chiang points out another issue: keeping passwords secure. “It is very important that all of these systems have passwords, and that all staff members are setting appropriate passwords and using them securely,” he says. “In other words, make sure they are not writing passwords down on Post-it notes or sharing their passwords with others. The recommendation is to use strong passwords, which means that they are a mixture of characters, upper and lowercase letters and numbers. Don’t use anything that can be easily guessed like the name of your children, your birthdate or words like ‘password.’ There really should be a different password for every system. Studies have shown that when you don’t use strong passwords, it is easier for people to hack into your system. One tip is to either spell words backwards or to use password management software, some of which can be downloaded for free. Password management software will store your passwords and can automatically assign strong passwords.”
What to Do After a Breach
There are typically two types of breaches. One involves copying data, while the other is deleting data from your system. “A breach can cause a worm or bug in the database,” Mr. Messier says. “There are forensic companies out there that do that kind of work, and they may or may not be able to recover your data. Most of these breaches that you hear about are just basically taking copies of the information and not deleting it.”
According to Dr. Boland, if you know that there has been a breach, you are required to report it. “That doesn’t necessarily mean that you are going to be fined or penalized, because these things happen. You are expected to have all of the policies and procedures in place to show that you did everything you could to protect your patients’ information. As is the case with other ‘bad outcomes,’ coming clean is an important strategy,” he says. REVIEW