Auditors urge security for EHR networks

Government auditors emphasized the need for hospital network security in the February issues of The New England Journal of Medicine. The auditors claimed that hacking into patient electronic health records (EHRs) can be as easy as tapping into the system using a laptop in the hospital parking lot. To prove it, they did exactly that, reports the National Association for Healthcare Access Management (NAHAM).

Security breaches such as the one demonstrated by the auditors have resulted in 300,000 Medicare beneficiary numbers being compromised. These breaches have ramifications for all of us, not just the individual to whom the number belongs. According to MedPage Today and The New England Journal of Medicine, breaches in patient information can enable insurance fraudsters to defraud private insurers as well as Medicare and Medicaid. Taxpayer money then is drained away from services, which results in waste and higher costs for beneficiaries. Additionally, patients can suffer harm if hackers change information in the patient’s EHR. Mislabeling a medical condition can lead to improper treatment, and changing the frequency that a prescription can be filled can leave patients without critical medicine.

Auditors and their colleagues from the Office of the Inspector General (OIG) at the Department of Health and Human Services (HHS) recommend that best practices for security be employed in and out of hospitals. They recommend measures such as password protection, firewalls, antivirus software, private consultation rooms, controlled prescription pads, paper shredding, biometrics, and secured copy machines.

The same security practices should be employed when healthcare workers access records from home laptops or home computers. These networks are often less secure, and scammers can obtain information to use when calling hospitals or practices pretending to be referring physicians, pharmacies, friends, or family. [See the MedPage Today article and a list of best practices for mobile devices from the Office of the National Coordinator for Health Information Technology (ONC) at]