Healthcare News & Insights

Most patients worry about EHR security, survey says

One of the challenges many hospitals face when they adopt electronic records: convincing patients that EHR systems are secure. 

information-securityThe good news: Patients seem to be getting more on board with EHRs, and more are starting to trust that their electronic medical data is being kept safe by their healthcare providers.

In a survey last year conducted by SailPoint, 80% of patients said they were worried about the security of their EHR data. Specifically, the 2,100 respondents are most worried about:

  1. Identity theft
  2. Having personal information exposed on the Internet
  3. Having medical data viewed by someone not involved in their care, and
  4. The possibility of an employer learning about a personal health condition.

In comparison, a recent survey from Gfk Custom Research and IDentity Theft 911 found a smaller number of patients fretting about EHR security. However, still fewer than half of the 1,000 patients surveyed (43%) said they think their healthcare providers will adequately protect their electronic information.

Common mistakes hospitals make

As much as hospitals work to improve their IT security, patients do have some cause for concern. The fact is that data breaches in health care are common, because hospitals and other providers hold a lot of information that’s valuable to cyber criminals.

In 2011 and 2012, the majority of hospitals (94%) suffered at least one data breach, according to a study from the Ponenom Institute. And healthcare IT professionals apparently share patients’ concerns about data security, as only 40% of the survey respondents were confident their organizations could prevent or quickly respond to security incidents.

The bottom line: There’s a lot more hospitals could be doing to protect patient information and other sensitive date. Another recent Ponemon report highlights some of the major security mistakes organizations in all industries are continuing to make:

1. Allowing unsecured personal mobile devices

Many organizations are adopting bring your own device (BYOD) programs, and hospitals are no different. However, as the Ponemon report shows, many organizations are so eager to jump on the BYOD bandwagon that they’re allowing those personal devices without sure the smartphones and tablets employees bring in are secure.

While 78% of the organizations surveyed allow personal devices at work, 61% said they don’t require those devices to be tested to make sure their security is up to par.

2. Giving employees too much access to data

Just 44% of the survey respondents said their organization is effective at making sure employees have access to only the data they need for their jobs. That’s an especially big issue in healthcare, as many breaches occur because employees view patient data beyond what they need to perform their jobs.

3. Failing to encrypt computing devices

Recently, many healthcare data breaches have occurred because an employee took a computing or storage device that held sensitive patient data out of the office, and it was lost or stolen. One key way to prevent those breaches from occur is to encrypt the data so that whoever ends up with the device won’t be able to access any of the information.

However, that’s not a common practice, according to the Ponemon report. Among the organizations studied, 46% said they don’t encrypt devices, and another 22% of respondents weren’t sure.

4. Trusting third parties

Hospitals aren’t just liable for patient data that’s breached on their premises — they can also suffer the consequences when their patients’ data is breached while it’s held by a third party, such as a cloud-based EHR vendor.

Unfortunately, many organizations don’t do enough to make sure they only hand over information to businesses that will keep it secure. Just 54% of survey respondents said they thoroughly vet third parties before doing business with them.

5. Failing to train employees

A large of data breaches occur because of the actions of someone within the organization — either because malicious insiders intentionally steal data, or because employees fail to take the right steps to keep data safe from outsiders. Therefore, a key component of any IT security program should be training users to be aware of risks and stop the most common threats.

However, more than half (52%) of organizations they don’t have a security awareness training program for employees who have access to sensitive information.

Communicate with patients

Beyond improving their security practices, hospitals can also take steps to get more patients on board with EHRs and other health IT systems. Some key steps to take:

  • Explain security practices — Patients should be aware of what the hospital is doing to keep data secure
  • Let patients voice their concerns — If patients are worried about electronic records, staff should listen to those concerns and tell patients why they shouldn’t worry, or consider making changes, if necessary, and
  • Offer the features patients want — Despite concerns about security, there are EHR features that patients want and will benefit from — for example, being able to access their own records online. Find out what patients want and try to offer those features.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.