The healthcare industry is embracing the technology evolution that is impacting virtually every sector of business and life. Healthcare providers are using new devices for procedures, catching conditions earlier, and tracking patient information. Telehealth and electronic health records are contributing pivotal pieces to the puzzles of value-based care and reduction of costs.
But with this rise of technology comes threats to infiltrate these new systems and wreak havoc. Cyberattacks, malware, and stealing of information is commonplace, and the healthcare field is just beginning to feel the ripples of an impending tidal wave. Possible outcomes of a cyberattack on an EHR include: the system being held hostage and providers unable to see patient charts until release, release of personal health information to the highest bidder, or releasing personal information such as social security and credit card information for identity theft. Hackers are demanding ransoms from the health systems from which they steal, keeping EHRs in their clutches until demands are met that are detrimental to the health system’s coffers and reputation alike. For example, St. Joseph’s Health in Irvine California paid $7.5 million as a settlement with patients over a data breach that occurred in 2012. In early 2016, Hollywood Presbyterian Medical Center paid around $17,000 for the release of its medical records. So far in 2016 there have been around eight reported attacks on health systems—a number expected to increase as the year goes on—and if one follows the news on these attacks, it seems to be happening with much greater frequency.
A main reason for these attacks is the amount of money spent to stop them. According to a survey by HIMSS Analytics, only 6 percent of healthcare information technology budgets are spent on security compared to 16 percent by the federal government and around 12 to 15 percent for financial institutions. This glaring shortfall shows the lack of importance health systems are putting on the issue and why there has been such an increase in attacks on EHRs around the country. According to the same report, healthcare attacks have increased 125 percent over the past five years due to personal health information being 50 times more valuable on the black market than financial information, as well as the relative ease with which the assaults can be completed.
Moving forward, this could have major ramifications on EHRs and health systems both financially and strategically. Because of the heavy investments many hospitals put into EHRs, it would make sense to spend enough to protect them, which would either result in a larger IT budget or more of the IT budget allocated to security. The latter measure alone would likely take away from EHR development and hinder future innovation, hurting the potential for improved health outcomes due to EHR technology. A greater focus on improving technological security could also shift broader strategies of hospitals and health systems. Protecting the technological aspects of business could create new job openings and opportunities, while possibly taking away from more traditional focuses such as construction and expansion.
As the healthcare industry continues to leverage technology for lower costs and higher quality care, the more integral the technology will become to the system. Without increasing resources designed at fortifying cyber security, health systems will see new waves of attacks, putting them and their patients at financial and personal risk.
Evan Camden is an associate analyst at DRG and an electronic health records expert. Follow him on Twitter at @EvanCamdenDRG