How Secure Is Your Data? Assessing and Mitigating Risks for Electronic Health Records

View all blog posts under Infographics

Infograph outlining how to assess the security of your data

Add This Infographic to Your Site

<p style="clear:both;margin-bottom:20px;"><a href="" rel="noreferrer" target="_blank"><img src="" alt="Infograph outlining how to assess the security of your data" style="max-width:100%;" /></a></p><p style="clear:both;margin-bottom:20px;"><a href="" rel="noreferrer" target="_blank">University of Illinois at Chicago </a></p>

Electronic Health Records (EHR) have become common in the US with nine out of every 10 physicians surveyed saying that they have adopted the technology. In fact, EHR adoption and usage has more than doubled from 42% in 2008 to 87% in 2016. What’s more, up to 90% of hospitals have already integrated EHR technology into their systems. American consumers have also jumped onto the digital health bandwagon. In fact, by 2018, 50% of mobile device users will have downloaded 3.4 billion health apps, industry experts forecast. Some of these apps link to wearable devices that track metrics such as steps taken, distance covered, and even heart rate. Industry analysts expect the Internet-of-things era to usher in more ways of capturing and accessing health data.

To learn more, checkout the infographic below created by University of Illinois at Chicago Online Master of Science in Health Informatics degree program.

Mobile Health or mHealth Statistics

Currently, 66% of Americans use mobile apps to manage a wide range of health issues. In addition, 61% use apps to communicate with physicians, 46% use medication reminder apps, and 45% rely on apps to track symptoms. On the other hand, doctors are up to 250% more likely than consumers to own a tablet. The number of doctors and nurses who owned a tablet jumped to 86% in 2013 up from 78% in 2012. Mobile devices make communication easier with 60% of medical practitioners using them to send and receive work-related text messages.

Data Storage

Data storage solutions collectively form the engine that drives web-based activities. Although storage solutions vary widely, they can be broken down into tiered storage, picture archiving and communication system (PACS), cloud storage, storage area network (SAN) storage, and hybrid storage. Out of these, cloud storage is the most widely known due to the popularity of cloud computing/storage startups and platforms including Dropbox, Box, and Google Drive. Esoteric definitions aside, cloud storage enables users to access data stored in remote data centers via the internet. Picture archiving and communication system (PACS) is platform that is specifically designed to support storage, retrieval, and management of medical images.

Tiered storage typically requires complex networking to ensure it functions properly and meets the relevant performance, data availability, and recovery requirements. To achieve these goals, data records could be channeled towards on-site servers with backup copies pushed to cloud-based servers. SAN storage is quite different from the other storage solutions discussed in this article because it consists of a high-speed server network that can connect to multiple storage devices/solutions. Hybrid storage refers to a combination of different storage solutions. For instance, a healthcare provider could use a combination of on-site/local and cloud storage. Since 2009 — when the HITECH Act was enacted, office-based usage of electronic medical records (EMR) by doctors has doubled.

Health Data Risks

Research has shown that up to 90% of healthcare organizations have been the victims of at least one data breach in the last two years. In the last year alone, 253 data breaches led to the loss of more than 122 million health records. These breaches were caused by hacking/IT incidents (111,812,172 records), improper data disposal (82,421 records), data loss (47,214 records), theft (740,598 records), and unauthorized access (572,919 records). These breaches cost the US health sector $5.6 billion annually. Over the last 12 months, 1 in 3 Americans were affected by data breaches, with an average of 25.3 incidents reported every month over the first half of 2016. This figure rose to 39 data breaches per month over the last half of 2016, which translates to an increase of 55%. Some of the major companies that were compromised by cybercriminals during this period include Anthem Blue Cross (78.8 million records) and Premera Blue Cross (11 million customers).

Protecting Health Data

To start with, it is advisable to carry out a thorough HIPAA security risk analysis across all storage and access devices. Furthermore, all records should be encrypted using secure data encryption protocols. In the period spanning 2009-2014, failure to use encryption was responsible for a third of all major data breaches. Besides this, medical practitioners must learn how to transmit, store, and access health records securely. This includes using strong passwords and logging out of networks after completing data access tasks. Unfortunately, 22.3% of professionals in the healthcare industry share their passwords with other people, thereby increasing the risk of compromise by cybercriminals. More worryingly, 14% of doctors access and keep patient records in their personal mobile devices even though they do not use any form of data encryption or password protection. Hackers can easily access these records in several ways. For instance, they could use spear phishing strategies to infect smartphones/tablets with malware that can transmit data to command servers surreptitiously. Unencrypted mobile devices can also be compromised when connected to vulnerable Wi-Fi networks. A good example is any Wi-Fi network that still operates under default/factory settings. In this case, all a hacker needs to do is to lookup the default settings online and use them to breach the target wireless network.

Another effective way of protecting health records is by ensuring that all servers and networks can be wiped, locked, or disabled remotely. This enables a network administrator to prevent dispersal or further access of sensitive data in the event of a hacking incident. Additionally, updating security software/tools including firewalls, persistent threat scanners and anti-virus/malware scanners regularly makes it even harder for cybercriminals to compromise patient records. Hospital administrators in collaboration with the relevant departments, especially the IT department, should develop an incidence response plan geared towards minimizing the reputational damage and financial losses associated with hacking incidents. More importantly, the plan should be evaluated periodically and updated accordingly. Finally, hospitals should develop a cyber security strategy that is optimized to address known threats and complies with the regulations governing health data privacy such as HIPAA. Moreover, the law requires companies/consultants involved in securing patient data and hospital networks to comply with the relevant data privacy regulations as well.


The health sector in the US has adopted electronic health records or EHR to ease the hassle of creating, storing, and retrieving patient data. To keep cybercriminals at bay, health facilities should secure their data and networks with up to date security solutions, urge physicians to use strong passwords, encrypt data using secure protocols, and implement data breach mitigation plans.