By Matt Fisher, Esq
Twitter: @matt_r_fisher
The rapid adoption of electronic health records (“EHR”) and other new technology in healthcare has resulted in the introduction of serious security threats. Numerous stories and reports have made it clear that hackers, criminals and others view the healthcare industry as a ripe target due to security vulnerabilities. This issue is exacerbated by the high value placed upon medical records in the black market.
The question that many are asking is was all of the money spent on acquiring EHRs misspent now that security flaws or issues are popping up with such frequency. Namely is healthcare throwing good money after bad. To some degree it may be a misplaced accusation. Any adoption of newer technologies will lead to issues, including exploitation of flaws that may not be expected. Unfortunately, it is also likely that bad actors will be ahead of the field when it comes to finding weaknesses or ways to get at data. Such a scenario should be viewed as an inherent risk in implementing technology. That being said, it is likely an unavoidable risk in this day and age. It is simply too difficult and against expectations to remain on the digital sidelines.
The increase in attacks against healthcare entities should appropriately raise alarm bells and spur action. Medical information is very sensitive on many levels and needs to be protected. One place to look for a solution is HIPAA. As is well-known, the HIPAA Security Rule sets standards for protecting health information. The technical, physical, and administrative safeguards define certain minimum standards to follow. In the current day and age though, the HIPAA standards by themselves are probably not enough. From this perspective, it is important to remember that HIPAA only sets a floor, not a ceiling. Best practices may well require actions beyond those proscribed by HIPAA. The healthcare industry needs to evolve and adapt to new realities.
The speed with which adaptation can occur will dictate how secure medical information remains. While much money was and is being spent in connection with new digital and technological solutions, the expense is not going to end as long as threats remain. Technology takes investment, time and attention, all of which are ongoing and recurring obligations.
About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.