Electronic health records, and the information systems in which they function, represent a major turning point in health care both as an industry and as a discipline. Yet, while some may be able to argue that EHRs are as disruptive a health care milestone as the first vaccination in the 18th century or the discovery of penicillin in the 20th, they are not without their shortcomings - namely cybersecurity.
What are EHRs?
As the name suggests, EHRs are partially a digital version of the data doctors or nurses glean from their patients - diagnoses, histories, billing documents, even real-time vitals provided through medical devices. Combined together into one virtual packet, these materials form an actionable profile that health care professionals can use to treat their patients more effectively as well as improve doctor-patient communications. A survey conducted by the Centers for Disease Control and Prevention and the National Center for Health Statistics found nearly 3 out of 4 physicians reported EHR systems enhanced patient care at their respective facilities.
EHRs also allow physicians to utilize the latest mobile technology and automated risk management that hospitals and clinics have to offer. Lab technicians, for example, can upload test values directly to EHRs via an authorized EHR system transmission, so health care staff know everything necessary about a patient's health as the information becomes available. Better still, EHRs help health care avoid the costly mistakes of a paper document system, like disorganization, outdated information going uncorrected and lengthy, manual logging processes detracting from a medical professional's schedule, to name only a few.
Cybersecurity implications for EHRs, EHR systems and modern health care technology
All this aside, one noted triumph of EHRs has, of late, been its most formidable enemy: the ability to share. As innovative as digitizing patient records are, health care IT has extreme difficulty managing them on-site and between vendors. In the 30 days of June 2016, more than 11 million patient EHRs were breached, making it the year's worst incident according to a study by DataBreaches.net and Prontenus. For comparison, May had less than 700,000 and 2016's former breach leader (March) topped out at just over 2.5 million.
Though most of the damage can be isolated to five medical databases and a single instance of more than 10 million records lifted in a single go, that's not necessarily reassuring news for the health care industry. Though it's tough to put a number on exactly how much data health care generates or how to tell the difference between small packets of information and larger imaging files, one study by the Institute of Health Technology Transformation placed the number around 150 exabytes back in 2011 - or more than 160 trillion gigabytes or 30 times "all the words ever spoken by human beings on earth." And on top of all that, it's safe to assume this number has increased dramatically over the last five years considering the exponential rate most experts believe data proliferates.
Simply put, EHR systems and EHR-compatible health care technology produce and manage a lot of data, perhaps far more than the industry can deal with given its resources. That makes the industry a sitting duck for cybercriminals, who might decide to do a lot more than merely peek at a patient's medical records or exploit what they find for financial gain.
In 2014, Wired reporter Kim Zetter wrote an expose on the findings of information by security expert Scott Erven, chronicling his mission to show the world just how hackable health care technology truly is. Once a cybercriminal traverses network security at a hospital, for example, he or she could manipulate EHRs in dangerous and unnoticeable ways that could potentially compromise patient health. For example, a security breach could result in an increase or decrease in a patient's prescription dosages or place unwarranted and expensive treatments on their tab.
Though these are all examples of worst-case scenarios, the rate at which cyber threats challenge health care daily shouldn't place them too far from the realm of possibility. Physicians and patients alike require stronger safeguards to prevent breaches from happening, because when they do, they could very well prove fatal.
How stronger change management strategies can help to avoid health care breaches
The principles of health care are built on the idea of getting better, and the same is true about health care IT and EHR system configuration.
As health care IT technicians enhance EHS-related software by integrating the latest set of best practices or regulatory changes into their employers' facilities, these professionals may unintentionally place these systems at risk because of how they manage change workloads. Advanced IT service management suites with change management modules and automated features could minimize this window of vulnerability through more agile deployment, as well as offer valuable automated features capable of providing an extra layer of protection.
Checking change against an automated CMDB, for instance, avoids the creation of conflicting code powerful enough to cause a gap in cybersecurity. Additionally, it prevents IT workers from devoting their expertise to repetitive auditing actions with a high potential for human error. Dependency mapping also gives IT specialists a picture as to which assets may experience complications due to the introduction of change, so teams preempt the situation entirely. And generally speaking, a more visible centralized change management process affords health care IT staff the power to oversee their workflow and maintain their bearing to ensure compliance with regulators and adherence to intelligent data security policies.