Securing Electronic Health Records: Report from HHS Reinforces Need for Contingency Plans

By Eric Noonan • August 29, 2016

Type “EHR” and “information security” into Google and you will find tons of Internet websites, news articles, and even YouTube videos on touting the various plusses and minuses of electronic health records, or EHR.  In the last few years, the EHR has become the physician’s best friend, as it helps provide better care, better population health and lower heath care costs.  While EHRs might be changing the way hospitals and practice offices operate, there are still issues with using EHRs securely.   According to the HHS Office of Inspector General, nearly “60 percent of hospitals participating in the federal meaningful use incentive program reported an unplanned disruption in their record systems in 2014 and 2015.” [Note that the meaningful use program is a federally backed program designed to encourage adoption of EHRs by doctors and hospitals].  It is also important to note that most of the reported unplanned disruptions were caused by hardware failure, not from cyber attacks.  While hardware failures are a concern, cyberattacks should also be at the top of the list.  Hospitals are facing an increasing number of directed cyberattacks aimed at disrupting and disabling the IT and health record infrastructure.

Having a contingency plan in place to deal with unforeseen events, such as disruptions from hardware failure or loss of patient data because of a cyber attack will ensure that your organization can plan and be ready when the inevitable strikes.  According to the HHS report from July 2016, many of the medical practice organizations investigated, including hospitals and practice offices, followed HIPAA requirements for its contingency plans, including backing up data, having a disaster recovery plan, having an emergency-mode operation plan and testing and revising the contingency plan.  The recent cyberattacks on hospitals have had a profound effect on the security of EHRs.  Earlier this year, a hospital in California fell victim to a ransomware attack that disabled its network and EHR system for a week, which led to delayed patent care and required patients to be moved to other facilities. In March, MedStar Health reported a suspected ransomware attack that required the healthcare network to take its all of its computer systems offline.

During cyber attacks and hardware failures, healthcare organizations rely on backup data in order to return to operations quickly.  Without a contingency plan in place, cyberattacks and outages will cause major headaches for the healthcare provider.  The HIPAA Security Rule requires that covered entities protect and secure the confidentiality, integrity, and availability of electronic protected health information (ePHI), of which EHR is one of many applications that store such data.  Securing this type of data is important as its loss can be a significant financial burden on the healthcare organization.

While the report emphasizes the need for contingency plans, it does not address other areas of security requirements under HIPAA.  HIPAA is required for federal entities, and the HHS Office of Inspector General (OIG) has previously recommended that OCR “fully implement a permanent audit program to assess compliance with HIPAA requirements.”

Whatever your organization’s requirements are, let CyberSheath help you prepare for the unplanned disruption.

CyberSheath Blog

2022 in Review: The CyberSheath Story Expands

This year marked a deluge of messaging about the Cybersecurity Maturity Model Certification (CMMC) and federal contractors were rightfully confused. With our keystone event, CMMC CON, we aimed to set the record straight and offer the best guidance for those in the Defense Industrial Base (DIB).   CMMC CON 2022…

CyberSheath Endorsed by Frost & Sullivan in First Independent Analyst Commentary on CMMC

Independent analyst firms have weighed in with commentary on nearly every discipline of information technology. Security has garnered a large portion of that IT discussion, yet until recently, Cybersecurity Maturity Model Certification (CMMC) compliance has been left out.   Frost & Sullivan changed that by selecting CyberSheath as its preferred…

Be Prepared: CMMC 2.0 Is Coming

Cybersecurity is increasingly important to safeguard your company, your customers, and your partners. We're moving into a global cyber era and we've got to get better at protecting ourselves.   Our adversaries are capitalizing on the lack of security controls in place in the defense industrial base (DIB) and we…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO