Micheal Koploy over at Medical Software Advice put together an interesting post that looked at all the HHS breach data. He does a pretty in depth look at the various incidents of breach that occurred and even does a deep dive into the specific EMR related HIPAA breaches that are listed. He then forms an interesting conclusion:
HIPAA Violations Aren’t in the Cloud
Some have said that increasing the number of EMRs make our records more vulnerable. I’d cite the above data to argue otherwise. Paper records and portable devices are the weakest link in HIPAA security. The systems themselves – and certainly cloud-based systems – have a pretty good track record. HIPPA violations aren’t happening in the cloud. Rather, they’re happening in the doctor’s office, hospital IT closets, cars, subways, and homes.And the statement that cloud-based EMR systems are more vulnerable to security breaches simply isn’t supported by facts. Of course, it remains to be seen if this holds true as more cloud-based systems are deployed. As more physicians move their records to the cloud, the opportunity for breaches will increase.
If my doctor asked me how to ensure patients’ data is secure, I would offer the following: go to the cloud. Web-based EMRs eliminate the most common security risks because there aren’t physical files to be compromised. And no matter your system, it’s essential to train your staff on the necessary security measures to ensure patient privacy is a systematic imperative
I think he makes a good point about it possibly being too early to really know how many cloud based SaaS EHR companies are going to have breaches. I also think it’s fair to consider that when those do happen, they’re going to be big breaches. They won’t just be a few records that are breached, but a whole bunch. Although, this is true for any electronic medical record HIPAA breach as compared with a paper chart HIPAA breach.
The other thing I can’t help but wonder is if there are more breaches with cloud EHR software, but we just don’t know that their happening. Although, that goes against the common thinking that EHR software does a much better job of tracking breaches than a paper chart. Your digital fingerprints are all over a digital chart and can be reported on quite easily. It’s a little harder to track the inappropriate fingerprints on a paper chart.
All in all, I’d have to agree with Michael and his assertion that we’re likely to see many fewer EHR breaches from a SaaS or cloud based EHR company than we will see from all the in house EHR software. In an in house system, the EHR company can just blame the clinic for the breach (in most cases). In a SaaS based EHR system, a HIPAA breach would have a much more damaging effect on the future sales of that EHR company. So, they’re more likely to put in the effort needed to avoid such breaches.
Though it may not seem like it, this article is talking apples & oranges.
Yes, the outcome is still the same, in that data is breached, but to say the cloud is safer…well, just ask Sony and now Sega about that.
Sony’s cloud breach was of more than 1 million users.
The Sega cloud breach 1.3 million records.
Previously I broke down the 2010 data breach stats provided by the CMS. There were 8 million breaches noted in all of 2010.
By far “theft” was the largest breach method. Of course, if users just followed some simple rules…like HIPAA…these incidents would be minimal.
Low on the list is “hacking”.
It is only a matter of time before hackers decide to go after PHI data centers.
Just hope the EHR in which your PHI is stored has done a solid job of encrypting everything.
Additionally, whether data is stored on the cloud or locally, there is still plenty of opportunity to have a data breach.
How about the incorrect mailing by the Florida BCBS recently.
I think the Sony and Sega comparison is even more like comparing apples and oranges. Although, certainly plenty can be learned from it as well.
I’d be interested to know when you went through the list, how many of the breaches would have been prevented had they just followed the HIPAA regs.
I do hate that you have to “hope” that your EHR vendor has encrypted the PHI and other security measures. I think a company could be built that went in and certified such requirements.
Knowing the hacking culture like I do, I’m still not sure the motivation for hackers to really take a hard look at hacking PHI. I’m sure it will happen sooner or later. In fact, it’s likely happening today and we likely don’t realize it. I just haven’t decided what would make a healthcare information target as attractive as all the other targets out there.
[…] it seems to do at least annually, if not more frequently. John Lynn seems to agree in his recent post over at […]