Patient Access to EHRs Warrants Prescription for Data Security
Steps, heartrate, nutrition, weight management, hydration, sleeping patterns—we’ve been tracking a number of health statistics on our mobile devices for years. Download an app, create an account, and (where necessary) pair your peripheral device. As consumers, we put our trust in the application providers to ensure our data remains secure.
With so much about our health already being collected from our devices, what are the considerations for similar access to our electronic health records (EHRs)?
A study published in JAMA and reported by HealthcareDIVE in August reflects potential interest among patients in the US. However, security considerations abound. When a fitness app suffers a security breach—and my preferred app was a victim of this a few years back—it’s a problem. Step counts, exercise patterns, and sleep cycles may have been snagged. Worse, of course, was that the personally identifiable information (PII) may have been caught up in there. But the idea of entire health histories ever being compromised? Scary.
Convenient Access is Enticing
But convenient access is so enticing to us as patients. Consumers (patients) around the world are an increasingly on-demand culture. And when it comes to our health records, it’s not easy to remember when every medication was prescribed. As we age, the ability to track and reference the onset of symptoms we experience adds yet another potential reason patients want to be able to access their EHRs easily.
Still, healthcare remains a leading industry for data breaches, and the long-term risks for patients whose data is exposed persists far longer than many other targeted industries. The industry has seen breaches among major laboratories and medical device manufacturers. This summer, a study by Thales in conjunction with IDC indicated nearly one-third of healthcare firms globally have experienced a data breach in the past year.
Enabling patients to access their own EHRs means access on devices not necessarily controlled by any endpoint management solution. So, data security becomes the application provider’s best friend.
For those who attended HIMSS in February 2019, MITRE had a great session on this theme, using a real-world example of a young lady who finally experienced the breakthrough relief from her illness by being able to log her various symptoms, when they occurred, how long they lasted, etc., and pulling up that data when meeting with the myriad physicians on her multi-year journey to recovery.
As firms look to enable more access for patients, the data becomes the focus area for ensuring privacy. Consider the device unmanaged and the network connections to be unsecured. Essentially, assume the patient is accessing on “device X” on the Wi-Fi at their local coffee shop. Expand that assumption to include that there’s a hacker drinking a latte at the next table, and there’s already another app on the patient’s device that is exposed for malware.
Many healthcare organizations don’t perform IT Security checkups often enough, with most reporting they perform risk assessments annually or even less often. Applications that offer access to EHRs must not begin at such a low data-security threshold.