Are electronic medical records worth it?

The use of Electronic Medical Records (EMR) by medical professionals has increased dramatically. According to HealthIT.gov, 2015 statistics show that 56 percent of all U.S. office-based physicians (MD/DO) have demonstrated meaningful use of electronic health records. The downside of these statistics is that when HIPAA was enacted in 1996, privacy was not a major focus and it actually took HHS eight years to publish the initial HIPAA Privacy Rule. It then took the agency several more years to publish initial security rules which directed “covered entities” (e.g., providers, hospitals, health insurers) to perform a risk assessment, understand where their vulnerabilities were, and to adopt reasonable safeguards to fix them.

Unfortunately this timeline has made healthcare records easy pickings for cybercriminals. Since 2010, incidents of medical identity theft have doubled, according to a survey conducted by the privacy-focused Ponemon Institute. A second report by the Identity Theft Resource Center on breaches in the first four months of 2015 showed that one-third of all data breaches by industry occurred in healthcare: 82 instances in total, exposing over 1.7 million records. Modern Healthcare, in fact, estimated that the medical records of almost one in eight Americans have been compromised. The American Action Forum estimates that all the breaches since 2009 have cost the healthcare system $50.6 billion. Data breaches have been so bad that Blue Cross Blue Shield has announced that they will offer their customers identity protection in 2016.

Figure 1- Number of personal data breach incidents by industry over time (http://www.gemalto.com/brochures-site/download-site/Documents/Gemalto_H1_2015_BLI_Report.pdf)

According to a report by the medical research firm Kalorama Information, the problem will worsen over time because the $25B electronic medical record industry is predicted to grow at a 7-8 percent clip in the coming year. Much of the growth is spurred by the 2009 Health Information Technology for Economic and Clinical Health (HITECH) Act, which offered financial incentives for using electronic records until 2015 and penalties for not using EMR thereafter.

Is EMR worth the cost in privacy and peace of mind?

The value of the technology has been heralded as improved diagnosis and treatment through better information access and sharing. Researches, however, have found that the vast majority of providers don’t share electronic patient data outside their own practice. According to a study by the Agency for Healthcare Research and Quality, just 14 percent of providers were sharing data with other providers in 2013 Psychology Today notes that many medical centers’ outpatient

Finding a Framework for Hybrid Cloud Risk Management

 (Sponsored by IBM. Originally published on Point B and Beyond)

Hybrid cloud is rapidly becoming essential to today’s information technology processes. This is why hybrid cloud risk management has become the keystone to many modern corporate strategies. To effectively manage this shift, leading enterprises are reorganizing how the business side of IT is accomplished. When this reality is coupled with the rising cost of poor cybersecurity, decisions often rise to the board level.

Threats that challenge cloud-based information systems can have adverse effects on organizational operations, organizational assets, employees and partners. Malicious entities can exploit both known and unknown vulnerabilities, compromising the confidentiality, integrity or availability of the corporate information being processed, stored or transmitted by those systems. In this environment, risk management must be viewed as a holistic activity that is fully integrated into every aspect of the business.

Establishing Standards for Hybrid Cloud Risk Management

The National Institute of Standards and Technology (NIST) offers a very good model for hybrid cloud risk management that groups activities into three categories based on the level at which they address the risk-related concerns. It divides activities and concerns into:

• The organization level (tier 1);
• The mission and business process level (tier 2); and
• The information system level (tier 3).

Addressing these activities in reverse order, the NIST Risk Management Framework (RMF) provides a disciplined and structured process for integrating tier 3 enterprise information security with risk management activities. Since mission or business processes govern tier 2, those details generally lie outside the scope of general treatment. Tier 1 organizational level aspects are, however, at the heart of the organizational restructuring needed to deal with risk management within today’s hybrid IT environments.