Posted November 1, 2016 by admin in articles

The Dangers of Funding EHR Without Concurrent Upgrades to Cybersecurity

Santosh Varughese, President, Cognetyx
Santosh Varughese, President, Cognetyx

The American Recovery and Reinvestment Act requires that healthcare facilities adopt and demonstrate “meaningful use” of electronic health records (EHRs) in order to maintain their existing Medicaid and Medicare reimbursement levels. Even beyond the legal requirements, EHRs are a fundamental part of 21st century healthcare. They benefit both patients and providers by reducing paperwork and improving communication between healthcare professionals and facilities, which reduces errors and enables better patient care.

However, if an organization’s cyber security is not upgraded at the same time it installs a new EHR system, the organization is looking at breaches of electronic protected health information (ePHI) and, subsequently, millions of dollars in cleanup costs, including possible citations for HIPAA violations, class-action lawsuits on behalf of affected patients, and a public relations nightmare. Following are five reasons why it is foolhardy to purchase a new EHR system – or even upgrade an existing one – without concurrently investing in cyber security upgrades to protect it.

  1. The rollout of a new system always means new security vulnerabilities.

The cybersecurity landscape is dynamic; as soon as security experts figure out how to thwart one type of attack, hackers discover another way in. New software and hardware always mean new connections to the network and, thus, new vulnerabilities, which is why enterprise cybersecurity measures should be revised and upgraded whenever changes are made to an existing system – and certainly if an entirely new system is being installed.

  1. Healthcare facilities – not their EHR vendors – are responsible for the security of ePHI.

Some executives may assume that since they are outsourcing the development, installation, and implementation of an EHR system, the EHR vendor is responsible for ensuring that the system is secure. This is not true. EHR vendors install new systems and, in some cases, provide employee training on the software. They are not information security experts. While most EHR systems and related hardware offer built-in security features, they may not be properly configured for a particular facility’s specific data environment, which means they will not provide full protection against the specific threats that facility faces.

Ensuring that an EHR system is secure is a related but completely separate job from development and installation, and at the end of the day, federal law holds healthcare facilities, not software vendors, responsible for protecting ePHI against breaches.

  1. Healthcare cybersecurity is about more than securing EHR systems.

Today’s healthcare facilities have highly complex data environments that extend beyond EHR systems. In addition to patient medical records systems, healthcare organizations may also be running email servers, billing systems, employee records and payroll systems, and other systems that support ancillary functions. Additionally, the explosive growth of Internet of Things (IoT) medical devices and the wide-scale adoption of tablets and other mobile devices mean that new hardware is being added to the network every day. If the entire system is not secure, the EHR system will not be secure; hackers could make their way into patients’ medical records by infiltrating an email server, billing system, or even an IoT device.

  1. Employees can’t adhere to cybersecurity best practices if they don’t know about them.

Not only do employees need to be trained on how to use a new EHR system, but they also must be trained on how to use it securely. The installation of a new system is a good time to review general cybersecurity best practices, such as not sharing passwords and learning how to spot phishing emails, along with best practices specific to the new system.

  1. There will always be employees who break the rules, either inadvertently or purposefully.

Unfortunately, all of the employee training in the world will not completely prevent malicious acts, carelessness, or simple human error. The overwhelming majority of data breaches occur not because of brute-force system hacks but as a result of cyber-criminals obtaining legitimate login credentials, either directly from a malicious insider, through a phishing email or another social engineering scheme, or by taking advantage of human error or carelessness, such as an employee sharing their password or logging into the system using an unsecured device. Additionally, employees themselves can “go rouge” and abuse their system access to steal patient data. Thus, when installing an EHR system, it is imperative to simultaneously install security software that can monitor the network for anomalous user behavior and flag possible instances of stolen credentials or user abuse.

A new or upgraded electronic health records system is a major investment, and cash-strapped healthcare organizations may be tempted to put information security on the back burner in an effort to save money. However, if an EHR system is breached, healthcare organizations are looking at an average cleanup cost of $402 per record – 80% higher than the U.S. average – and a deterioration of trust between providers and patients. Cybersecurity is not an overhead cost but a wise investment, and healthcare facilities cannot afford not to make the investment to secure their new EHR systems, as well as the remainder of their networks.


Santosh Varughese is President of Cognetyx (, the world’s first “Ambient Cognitive Cyber Surveillance” to help safeguard medical information. Cognetyx uses advanced machine-learning artificial intelligence to detect rogue users.

Views Count:1,882 views
  • Join Our Newsletter

    Signup today for free and be the first to get notified on News updates.