Keeping Electronic Health Records Safe in Transit
Electronic health records aren’t stationary documents that remain protected behind a single wall of defence. They travel between healthcare organizations and third-party business associates frequently and each journey carries the risk of security breaches. Today we’ll talk about the type of personal data exchanged in healthcare and how encryption helps keep that data secure.
Personal data exchanged in healthcare
Electronic health records are a treasure trove of sensitive personal information including:
- Medical history, medications and immunizations.
- Diagnoses and treatment recommendations.
- Lab reports including radiology images and test results.
To create a unified electronic health record takes collaboration between multiple parties. This means medical information—including colonoscopy test results—is in transit more than you think and probably more than you are comfortable with.
Electronic health records travel between these organizations in various routes:
- General practitioners.
- Insurance agencies.
- Homecare agencies.
- Third-party business associates including companies that process claims, administer benefits, transcribe medical reports, store and dispose of documents, etc.
The cost of unprotected digital patient records
Unprotected electronic health records—in transit and otherwise—are a costly disaster waiting to happen. The personal data found in patient records is valuable to nefarious agents—so valuable that breaches are common and costly in healthcare. And the more records that are breached, the more the breach costs. Data breaches cost on average $141 per breached record—except in healthcare where the average cost per breached record is $380.
As you saw from the list above, many organizations receive and send digital patient records as part of business processes. In the summer of 2018, for example, CarePartners, a homecare company and business associate of the Ontario government was hacked, and 80,000 patient records were affected. To add insult to injury, the hackers told the CBC that the data they stole wasn’t even encrypted!
Too many electronic health records are at risk because healthcare organizations are dealing with stagnant or declining IT budgets year-over-year. But deprioritizing cybersecurity is short-sighted because the average cost for a ransomware incident is $76,000 and the average hacking breach costs $2.4M.
But research indicates that implementing an organization-wide encryption solution is a cost-saving initiative. For example, the Ponemon Institute’s 2017 Cost of Data Breach Study suggests that the top three factors that reduce the potential cost of data breaches are having an incidence response team, using encryption extensively and training employees. Additionally, a recent Total Economic Impact™ study conducted by Forrester Research revealed that organizations which adopt Echoworx’s OneWorld encryption platform can expect a return on investment of 155 per cent and a payback period of just seven months.
How encryption protects electronic health records in transit
To protect the private data in digital patient records in transit, encryption is essential. We recommend implementing a flexible and user-friendly encryption solution – like Echoworx’s OneWorld platform which employs up to five secure encryption delivery methods.
Four ways encryption protects your electronic health records in transit:
- Multiple flexible delivery methods – Not every healthcare organization will have the same cybersecurity measures in place so your encryption platform must be able to handle multiple business scenarios. These include Secure PDF (e.g., secure record delivery) and web portal access, TLS and encrypted attachments and support for S/MIME and PGP.
- Inbound encryption – When organizations accept inbound emails without encryption, the information is stored in clear text on their network or not accepted at all. Inbound encryption allows organizations to automatically reroute sensitive incoming data to an encrypted web portal.
- Secure Bulk Mail (SBM) – This functionality automates the process of emailing mass personalized documents securely. In 2017, the British National Health Service lost 900,000 patient letters—including test results from physicians—which might not have happened if a SBM solution was in place.
- Privacy by design – When your encryption platform includes definable policies to control which communications require encryption and how they’re sent, it relieves busy healthcare administrators of the burden of making security decisions while processing patient records. This encryption solution also means organizations stay compliant with regulations like the US’ Health Insurance Portability and Accountability Act (HIPAA), the US’ Health Information Technology for Economic and Clinical Health Act (HITECH) and the EU’s General Data Protection Regulation (GDPR).
Healthcare organizations have an obligation to protect sensitive patient information in electronic healthcare records in three scenarios: when the personal data is on their network, leaving their network and arriving at their network. When healthcare organizations implement a flexible and user-friendly encryption solution, they protect this personal data across all three scenarios. Isn’t it time for your healthcare organization to get encrypted?
By Alex Loo, VP Operations, Echoworx