What goes wrong for practices with poor cloud EHR security

According to a recent study by the independent privacy, data protection and information security research group, Ponemon Institute, criminal data hacks in healthcare are up 125% since 2010 and are now the leading cause of EHR data breach, with nearly 45% of data breaches in healthcare a result of criminal activity.

Criminal healthcare data breaches carried out by hackers who exploit a weakness in a network, transfer personal healthcare information to their own storage devices and peddle it on the black market, are an ever-present danger. There has also been a spike in ransomware attacks over the last few years whereby networks and computer systems are frozen by malicious software until a ransom is paid to the hackers. Given this new threat, a practice should ensure they have developed effective cloud EHR security protocols to mitigate the threat posed by hacks and ransomware attacks, and an emergency plan in the event a breach occurs.

The consequences of neglecting cloud EHR security

The consequences that can arise from failing to plan cloud EHR security protocols primarily involve financial damage arising from remediation of compromised personal healthcare information, lost productivity, due to breach related network outages, lost revenues due to reputational damage arising from a data breach or civil or criminal penalties being imposed under HIPAA or HITECH.   

Recommended reading: find vendors offering strong cloud EHR security tools using our completely up-to-date EHR vendor directory

To put these economic costs in perspective, estimates from the Ponemon Institute show that the direct economic costs of a data breach to be roughly $200 per record. This figure did not include indirect costs such as reputational damage arising from a breach and lost productivity arising from staff time being diverted away from normal activities.

Lost productivity and excess time spent attending to a network breach can increase significantly in the case of a ransomware attack which results in an entire network being disabled.  Further an organization may be subject to regulatory fines up to $50,000 per violation, with a maximum penalty of $1.5 million per year for violations of an identical provision in cases which involve willfully exposing healthcare data. Violations of data privacy laws can also carry criminal penalties that can be imposed on responsible parties.

Which practices are most at risk?

According to risk and liability publication Insurance Journal, “small- to middle-market organizations are at greater risk for data breach as they have limited security and privacy processes, personnel, technology, and budgets.” Although the most high-profile data breach cases occur in large organizations, it is the practices that are exposed to the most risk that is likely not in a position to absorb the economic burden of a data breach.

In both cases, a practice can suffer severe economic consequences, that are largely preventable with the appropriate measures in place. These security protocols involve not only the technological aspects of cloud EHR security, such as data encryption and restricting  access to workstation, but also training staff to avoid security risks like opening emails that may contain malicious files or using mobile devices to share health information without following proper security protocols. In the event security is compromised, a practice should firstly follow protocols for breach notification contained in the law and also provide specific roles and procedures staff should follow in the event of a security emergency.