EHR and Health IT Consulting
40.4K views | +3 today
Follow
EHR and Health IT Consulting
Technical Doctor's insights and information collated from various sources on EHR selection, EHR implementation, EMR relevance for providers and decision makers
Your new post is loading...
Your new post is loading...
Scoop.it!

Electronic health records and data abuse: it's about more than medical info

Electronic health records and data abuse: it's about more than medical info | EHR and Health IT Consulting | Scoop.it

On the heels of the recent announcement that medical insurance firm Anthem was breached, we look at the nuance and impact of a medical record breach versus a medical data breach. They are certainly related, but digging through troves of data containing primarily identity information is significantly different to an attack that focuses on specific treatment of a specific patient.

If an attacker can harvest name, social security number, phone, address, email and the like, that haul has a much wider potential audience than, say, whether or not a patient underwent a specific medical procedure. A stolen medical record containing a lot of detail may sell for a lot of money, but that market is more specialized than the broader market for general identity data.

To help folks visualize the different levels of data that thieves might want to swipe from a medical facility, and then abuse, my colleague, Stephen Cobb, created this diagram of a generic electronic health record.

Level one is pretty basic info, things that are fairly easily knowable about you without any hacking, normally sourced through Open Source Intelligence (OSINT) gathering. However, grabbing a big fat collection of such data might still earn a bad guy some black market bucks, say if a spammer needed fresh targets.

The illegal earnings potential goes up a notch if you can grab Level 2 data. Scammers can use that to carry out several kinds of identity theft, creating fake IDs, opening credit card accounts, committing tax fraud (filing fake returns to get a refund) or even use it to answer challenge questions to online accounts, thereby pivoting the attack to new digital beachheads. Even Level 2 data is enough to commit some types of medical ID theft, though the bad guys have no clue how healthy or sick you really are (here’s a pretty scary case of what can be done with just a stolen driver’s license).

Level 3 data just makes all of the above that much easier; plus, it enables new forms of badness. Some crooks prefer taking over an established account to opening a (fake) new one. the number of electronic records or EHRs that actually contain financial or payment data is not clear, but obviously a lot of healthcare entities do handle it at some point, making them a target for digital thieves who turn around and sell it on carder forums.

When you get to Level 4 data, the badness takes on a new dimension. If an attacker has a patient’s full (or partial) history, it’s easy to imagine matching up a willing bidder who has a need for a similar medical procedure with a donor record to (roughly) match, in an attempt to get pinpointed specific services they would otherwise have difficulty receiving.

But the options for selling medical history-style Level 4 records may be much narrower in scope than, say, bulk repackaging and resale on the underworld markets of lower levels, appealing to any buyer who wants to assume an identity, spread a wider net and attack other properties, or engage in fraudulent activity which is then blamed on you (if it’s your record that was compromised).

Of course, the threatscape may well change as the EHR becomes more universal. With the proliferation and sprawl of third party providers who are somehow tapped into a cohesive health ecosystem, there will always be various specialized smaller providers whose business is targeted to a specific subset. That’s not bad, it’s just how the health segment does business; in many cases it leverages strengths of one organization to help another. But it does imply a larger potential attack surface, which has implications for security if the data sprawl is not carefully managed. For example, if an attacker can gain a beachhead in one of the providers in the ecosystem, will they then have an elevated trust relationship with other systems within this ecosystem?

And here’s the rub: having instant digital access to all of a patient’s medical data (or other sensitive information) wherever a doctor happens to physically be is a wonderful tool, but now we have many more endpoints in question with security environments to understand and corral. This implies an ongoing need, not just for really smart endpoint protection, but also strong encryption, and authentication, as well as sane network segmentation, vigilant network monitoring and reliable disaster recovery.


more...
No comment yet.
Scoop.it!

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers

Why Should Your Practice Have a Cloud-Based EHR? - HITECH AnswersHITECH Answers | EHR and Health IT Consulting | Scoop.it

If you’re still debating whether to go with a web-based EHR or a server-based EHR, you should know why a growing number of practices are choosing to go with a cloud EMR.

How does a web-based EMR differ from the older technology of a client server-based EHR system?

A cloud EMR is different (and better, in our opinion) due to the following factors:

Your software is always up to date
With a web-based EMR, the software is always up to date, usually at no additional charge. No more expensive upgrades causing delays; just open the SaaS-based software and you have the latest version.

Rest easy on HIPAA data requirements
Data security is much easier to manage with a web-based system. Cloud EHR vendors can provide much more security for your data than you can internally with office servers. As reported by the Business Insurance site, “Data breaches seem to be everywhere these days except the one place everyone fears—the cloud.” That could be because cloud EMRs offer financial-level security for your data.

Accessibility—work from anywhere
One of the things many users love about the cloud is the ability to work from anywhere—whether it’s e-prescribing from a smartphone or checking a patient record from the beach while on vacation. We don’t recommend you work on your vacation, but we understand the realities of medical practice.

Cloud-based EHR systems allow continued functioning during and immediately after disasters
Hospitals and physicians discovered the benefits of cloud-based data first after Hurricane Katrina and again after Super Storm Sandy; with a web-based system, you can practice (and bill) from anywhere.

Reduced expense for both software and hardware
A cloud-based system is more cost-effective, particularly for small to medium sized practices, since there are no large hardware expenditures and the software expense is a consistent, low subscription rate. You won’t have to plan for large hardware and software expenditures.

Better IT support
Damn it, Jim, you’re a doctor—not an IT person. And you will probably not be able to hire IT support of the same caliber as the staff of a web-based EHR vendor. Why not make use of their resources and eliminate your headaches?

You can use a cloud-based EHR on a mobile device such as an iPad or other tablet
A survey of physicians by web-based EHR review group Software Advice showed that 39% of physicians want to use their EHR on a tablet such as iPad, and in another survey, a majority of patient respondents indicated that they find use of an EHR on a tablet in the exam room to be “not at all bothersome.”

Satisfaction levels are higher among mobile EHR users
A recent survey by tablet-based EHR review group Software Advice found that providers using a mobile EHR expressed twice the satisfaction levels of those using EHRs via non-mobile systems. And as mentioned above, an effective mobile EHR needs to be cloud-based.

It’s particularly important to note that cloud-based systems are nearly always more secure than any system you could set up in your office. For most practices, data security and HIPAA best practices are not their area of expertise—excellent patient care is. But for cloud EMR systems, those areas are key to our success. We are better at it because we must be in order to continue in business. And as mentioned above, the proof is in the lack of data breaches among cloud-based companies.

One proof of the idea that a cloud-based EHR is the best choice is the fact that most EHRs that were originally server-based have since developed cloud-based offerings as well. If server-based technology is state of the art, why are those vendors switching platforms?


more...
No comment yet.