Often used interchangeably with the term electronic medical record (EMR), electronic health records (EHRs) are the culmination of recent advancements in electronic information and data storage.
Able to create a more simplified method of storing, managing, and sharing patient health information, many healthcare providers and hospitals have implemented EHRs into their everyday practices for managing patient medical records due to their advantages over other methods.
Here in this article, we explore the ever-evolving world of electronic health records, covering everything from how they can be compromised and cause data breaches to how healthcare providers can best prepare and protect themselves from the threat of a potential data breach or identity thief targeting EHRs using electronic media destruction and other strategies.
How EHR Data Breaches Happen
With EHRs, there is only one editable health record, meaning that any information it contains will always be up to date.
This is why many healthcare providers now favor electronic health records for the fact that—unlike with paper medical records—older paper records no longer need to be tracked down when updates to a patient medical record must be made, and the odds of creating duplicate copies or replicating inaccurate data are all but eliminated.
Although electronic health records have helped to greatly simplify the process of managing medical records for healthcare providers, this convenience does come at a cost.
Because all of the patient EHRs are generally stored in a single, centralized location, one EHR data breach can mean that thousands of medical records are exposed—between just 2005 and 2016 alone, there were 1,274 data breaches in the healthcare industry that affected just under 45.5 million patient medical records.
Here are just a few examples of how EHRs can end up in the wrong hands:
Accidental Data Breaches
Although a stereotypical idea of personal information gone missing may seem malicious—as past cases like the Target data breach have demonstrated—there is plenty of room for data breaches to be caused by accident.
In 2013, for instance, a New York-based healthcare provider called Affinity Health Plan agreed to pay a $1.2 million settlement after unintentionally releasing the electronic protected health information (ePHI) of nearly 350,000 patients that was stored on the hard drives of copy machines they had recently returned to a leasing company.
Unfortunately for Affinity, the breach was discovered by a representative of the CBS Evening News. During a story in which CBS purchased four used copy machines from a leasing company, they removed the machines’ internal hard drives and analyzed their contents, where they discovered the confidential medical records still contained on Affinity’s old photocopier.
Like many electronic devices now used in the healthcare industry, a copy of every medical file and image that is sent through is saved to the machine’s internal hard drive. Because of this, it is imperative that healthcare providers take the proper steps to remove all information from their devices before they either return or dispose of their electronic devices.
Not only is it important to dispose of ePHI and EHRs for the protection of patient privacy, the Affinity case also serves as an expensive reminder to other providers that simply not knowing better about potential security risks is not a valid excuse for threatening the privacy of patient electronic medical records.
Hackers and Identity Thieves
While EHRs certainly do leave room for being accidentally compromised, the threat of a hacker or traditional thief grabbing devices containing EHRs is nevertheless a risk for providers to keep in mind.
In 2016, an unencrypted laptop belonging to the California Correctional Health Care Services containing the ePHI of up to 400,000 inmates was stolen. Reportedly, the laptop potentially included sensitive information such as names, addresses, Social Security numbers, and protected EHRs of past and present California inmates.
Above all, this incident fits as a perfect example of a reminder for the importance of data encryption on company devices that contain sensitive information—especially mobile devices like laptops or tablets.
Although data encryption wouldn’t have stopped the robbery or theft, the fact that the information the device contained would be inaccessible due to its encryption would have rendered it useless to thieves.
Either way, no matter how a data breach may occur, laws like the Health Insurance Portability and Accountability Act (HIPAA) leave little room for flexibility when it comes to PHI, doling out heavy fines for taking the privacy of their patients lightly and making it essential that providers cover all their bases when it comes to protecting their EHRs.
How You Can Help Protect Your Electronic Health Records
Stories like the Affinity Health Plan copier case serve as a costly reminder to healthcare providers about the importance of properly securing and disposing of the EHRs contained on company electronics.
Besides just photocopiers and scanners, ePHI can be found on the hard drives of numerous devices kept around any office or medical practice, making it important that prior to disposal, providers evaluate electronics such as:
- Biomedical Devices – Including Physiologic Monitors, Diagnostic Ultrasound, Infusion Pumps, CT and MRI Scans, Laboratory Analyzers, and Ventilators
- Embedded Flash on Boards or Devices – Such as Motherboards and Peripheral Cards like Network Adaptors
- Legacy Magnetic Media like Floppy Drives, Magnetic Tapes, and Zip Disks
- Memory Cards – Includes SD, SDHC, MMC, Compact Flash, Microdrive, and Memory Sticks
- Mobile Devices such as Cell Phones, Smart Phones, PDAs, Laptops, and Tablets
- Optical Media like CDs and DVDs
- PC Hard Drives
- RAM and ROM-based storage devices
- USB Removable Media such as Pen Drives, Thumb Drives, Flash Drives, and Memory Sticks
In order to protect the highly confidential information that these devices contain and ensure that they are properly destroyed so that no one could later recover the information after its disposal, many healthcare providers have adopted the use of electronic media destruction services in order to guarantee that EHRs on devices are fully removed.
Electronic Media Destruction Services
Simply formatting or deleting the hard drive in a computer or other electronic device is not foolproof protection. Using the right software, previously removed information can be restored, meaning that in order to truly guarantee that sensitive information like EHRs are protected, healthcare providers must use either a specialized software solution or completely destroy the device.
At Shred Nations, our electronic media destruction services are able to cover all your potential needs and ensure the data on your drives is completely unrecoverable. Whether it’s absolute destruction or hard drive degaussing, our providers will always be able to present you with a certificate of destruction to assure you of secure chain of custody. We even take steps to ensure we properly dispose raw hard drive materials in compliance with EPA standards after the process is complete.
Healthcare providers should also remember to forget to take steps to better protect themselves and their EHRs prior to their destruction or disposal. By ensuring that your electronic health records are additionally secured using data encryption software, there is a good chance that even if a device which stores EHRs is stolen, it will be inaccessible and unusable to the thief.
Request Free, No-Obligation Quotes on Electronic Media Destruction Services for Your EHRs
With EHRs, healthcare providers are able to simplify the process of managing the medical records for the thousands of patients they see. Despite this though, with great convenience comes great responsibility, as the ease of an electronic health record makes the odds of unauthorized access to the EHR much greater as well.
That’s why at Shred Nations, we partner with a nationwide network of the top data destruction providers in the industry. With secure electronic media destruction services which healthcare providers can rely on to ensure that sensitive EHRs are safely removed from their electronics, you can rest assured that Shred Nations can meet all your data protection and destruction needs.
To get started scheduling an electronic media destruction service to handle the disposal of the sensitive EHRs stored on your company devices, just give us a call at (800) 747-3365, or simply fill out the form to your right to request free quotes on EHR destruction services near you!
Additional EHR and Electronic Media Destruction Resources
Although they’re an essential tool for the healthcare industry, medical records are also the primary target of identity thieves as well. With this in-depth white paper, we delve deeper into the world of both electronic and paper-based medical records, covering topics which range from what the various medical record types are, to why identity thieves want them and how healthcare providers can take steps to better protect patient medical records.
The importance of ensuring that electronic media destruction is properly carried out is an aspect of the process that is often overlooked by business owners across the spectrum of different industries. Despite this, in order for a business to remain compliant with all laws and avoid steep fines or other penalties, it is essential that businesses pay close attention to the specific data destruction laws which affect them in order to ensure they protect all the personally identifiable information (PII) their documents contain.
Besides the need to protect the electronic health records that are quickly becoming more common in the healthcare industry, it is equally important that healthcare providers still using hard-copy medical records also take steps to ensure their medical records are protected and properly destroyed once they are no longer of use. In this article, we make a closer examination of paper medical records, providing information not just on how identity thieves get their hands on medical records, but how providers can take preemptive steps to prevent patient medical records being compromised.