Healthcare Not Up To Task Of Securing Electronic Medical Records, Experts Say

As healthcare organizations work to earn the incentives dangled in front of them by the HITECH Act, the adoption of electronic medical records (EMR) has accelerated. But at the same time, healthcare fraud has also risen, and experts say if organizations don't effectively address data and database protection in healthcare's transition from paper to digital record-keeping, the threats to patient confidentiality and organizational security will skyrocket.

Two surveys in recent months punctuate the security pundits' warnings. The first, a survey conducted by SK&A in February, showed that adoption rate of EMRs within U.S. medical offices in the past year rose by more than three percentage points, to 36.1 percent. EMR adoption is more prevalent in hospital- or health system-owned sites: Hospital-owned and health-system-owned sites have adoption rates of 44.1 percent and 50.2 percent, respectively.

This data tracks with another poll by NaviNet, which showed small-healthcare organization use has jumped up by three percentage points in the last year, from 9 percent to 12 percent.

Meanwhile, a third poll released by Javelin Research and Strategy in March illustrates the darker side of EMR's uptick: Fraud based on exposure to health data rose from 3 percent to 7 percent between 2008 and 2009.

While the healthcare industry has for decades been plodding toward the eventuality of transforming paper records to digital, it received a legislative boost in early 2009 with the passing of the American Recovery and Reinvestment Act of 2009. Carved into this overarching stimulus bill, the HITECH Act was designed specifically to encourage organizations to step up their efforts to transition to EMR with a host of financial incentives -- $19.2 billion in total.

But James Van Dyke, president of Javelin, says analysts at his practice are skeptical of the healthcare industry's ability to advance its EMR adoption rate while protecting the data at hand.

"We think medical providers aren't up to the task. They won't have security best practices in place to match the incidents of fraud, and we think theft of personal health information is going to get worse," he said in a statement.

Much of the difficulty in getting healthcare organizations to lock down their databases comes down to culture, says Deke George, CEO of NetSPI, a security consultancy with a strong healthcare client base.

"I think in the end, the biggest problem in the healthcare market is that there's always been a balance between the idea that a life is worth more than the possibility that someone will be able to access information," George says. "And an evolved sense of risk management and compliance and security really doesn't exist in that space. So organizations really just haven't dealt with how to implement security for any level, whether at the database or elsewhere."

He believes that larger healthcare organizations with already established databases tend to be far behind counterparts in other industries in regard to how they secure these data stores. One of the less-than-best practices he often sees clients engaged in is the overall lack of segmentation or logical separation of data based on risk.

"There are many healthcare environments that still haven't even put in DMZs," he says. "From just a logical separation within the larger environments, these organizations are not necessarily segmenting off their databases."

This is exacerbated by the fact that important data tends to be spread around and found in multiple instances across numerous databases to satisfy the need for information sharing and analysis for healthcare informatics.

"It's more than a leak -- what ends up happening is there's a lot of data warehousing and there's a lot of information that is in one database, but it gets spread around because it needs to be used for healthcare informatics in other uses," George explains. "So you have all of these databases that just multiply, whether it's because the applications themselves grow or the use of the database information grows from the native database to the data warehouse to other types of systems that now need this information."

Additionally, many healthcare organizations also leave unprotected data within test environments. "Everyone says up front that they don't have real information in their test environments, but I would say probably 50 percent of the time we find that test environments contain live information," George says.

He believes the first steps that organizations can make to improve their data protection strategy -- particularly as they add more data to databases by converting paper-based files to digital -- is to acquire an intimate understanding of where data resides.

"Many healthcare orgs don't have a full picture of the data mapping and where data resides, so that's the first step. It's a matter of change management, actually understanding where this information resides, and understanding the value of the data so at the strategic level you can justify protecting the information," George says. "People need to understand where these databases are and how they're interconnected. The second step is segmenting: only allowing the appropriate users appropriate levels of access to that information."

The fortunate thing about healthcare's lagging data protection practices is that even though the sector has its own unique IT challenges, database security is universal no matter what kind of data is stored, says Josh Shaul, vice president of product management for database and application security vendor Application Security Inc.

"I think the drivers are unique and the fact that folks are moving from all of these paper-based records to the electronic records is maybe unique," Shaul says. "But I don't think there's anything else about database security that's unique in healthcare. In the end we're all securing data in databases and Oracle, SQL Server, and Sybase. They work the same whether you have your secret recipe in them or you have your healthcare information in them or you have credit card data in them."

As such, healthcare organizations that might have never endeavored to take database precautions need only look for best-practice and thought leadership material for pointers on how to get a database protection program in order.

Shaul believes that because the drivers to move from paper-based to digitally stored records are prodding organizations that might have never had much of a database in place before, however, there is a unique opportunity for some organizations to apply these best practices much more affordably than those that must wrangle legacy database system.

"The fact that these are folks that are used to using paper-based records -- the whole notion of data security is kind of brand new for them. The hard lesson that folks in other industries have learned is if they don't build in data security from day one, it costs a lot of money," Shaul explains. "These folks that are going through this transition to electronic medical records have the opportunity to sort of start fresh and start with a system that is built with privacy and confidentiality and regulatory compliance built in from day one."

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.