In the first decade of the 21st century, the federal government issued a mandate that all medical records must be in electronic form by 2014. This was an outgrowth of the Health Insurance Portability and Accountability Act (HIPAA) from the mid-90s. To keep medical providers compliant with HIPAA, the move to all-electronic records was deemed necessary.
Seven years later, all medical records that have been created or accessed since about 2010 are indeed on-line. This means with the proper authorization, your records can be viewed by you, a doctor other than your primary care provider, or staff at a medical facility. The theory is that this makes providing in-depth care easier for everyone.
But how secure are those records? Should you worry that this better access for the medical profession means the bad guys also have increased access? As is so often the case with cybersecurity, the answer is more complicated than a simple yes or no.
Medical records are kept separate from other electronic records (tax data, social security, property transactions, etc.) in most cases. A part of HIPAA, the Security Rule, mandates this and has substantial penalties for non-compliance. The protocols that make this secure are comprehensive, and health-care providers are required to conduct a risk analysis to identify risks to the confidentiality, integrity, and availability of personal health information (PHI).
It gets fuzzier, though, when that data gets passed around. If a clinician emails PHI, but sends it to the wrong address, that could be a breach. If a clinical trial uses PHI, and doesn’t anonymize it properly, that could also be a breach.
Another problem, as in all other areas of cybersecurity, is a breach caused by phishing. If a staffer at a medical provider falls for a phishing email, and gives a hacker their login credentials, the hacker can then use that access point to get into their medical records database. Based on what level of access the phished staffer has, this could mean complete access to all patient records.
Medical record fraud is one of the most lucrative forms of hacking, as the information obtained illegally can be used to make false insurance claims. This is a multi-million-dollar underground industry.
As with most cybersecurity, you can protect yourself to a certain degree. Pick a username that is not easily guessed (if you can, use something other than your email address), use a password you do not use anywhere else, and employ multi-factor authentication. If your medical provider offers a website and/or phone app to access your records, sign up for it. This gives you greater visibility into your data, what’s been done to that data, and who has accessed it.
On a broader scale, keep an eye out for news of breaches at health providers that you have dealt with. Because data can be and is shared between providers, a breach at one can mean your PHI is vulnerable at others. Should you get word of a breach, change your password immediately, and contact the breached provider to see what other steps they are taking to mitigate the incursion.