Is Your Data Safe? How to Assess Your EMR Vendor’s Cybersecurity

The healthcare industry is no stranger to ransomware attacks and other cybercrimes. These events can be crippling to even the most advanced systems, bringing critical processes and infrastructure to a screeching halt and exposing private health information to criminal eyes. According to the U.S. Department of Health and Human Services, the occurrence of ransomware attacks increased 60% from 2019 to 2020. Furthermore, HIPAA Journal reports that 9.7 million healthcare records were compromised in September 2020 alone.

As the healthcare industry becomes increasingly reliant on network technology to maintain critical functions, medical practices have become a prime target for cybercriminals. Given the growing threat of cyberattacks, practices need to ask themselves one major question: Is my data secure?

What Are the Options for Secure Storage?

To avoid falling victim to cyberattack, practice leaders should make educated decisions about how to store and access Electronic Medical Records (EMR) and other critical data. Practices effectively have two options when it comes to data storage: cloud storage via third-party EMR vendors or on-premises data storage, i.e., physical servers housed by the practice. As networking and data storage technology grows increasingly complex, most practice leaders lack the necessary expertise to execute effective security measures and critical hardware maintenance required by on-premises storage, making cloud-based vendor solutions a more attractive option.

Today, practices have a wide range of cloud-based EMR vendors to choose from. By choosing to invest in cloud storage via a third-party vendor, practice leaders can offload a significant burden, outsourcing the work of maintaining servers with high-quality cybersecurity. Furthermore, many cloud-based vendors allow practices to bundle their solutions with other value-added services, such as practice management, scheduling, and billing software all within the same platform.

Questions to Help You Choose Wisely

While there are many vendors to choose from, not all are created equal. It’s important that practices ask the right questions about security offerings before committing to a vendor. Some questions you may consider asking include:

• What internal security measures does your organization employ?
• Do you have a detailed incident response plan?
• Do you have a written security plan?
• What is your plan for business continuity in case of a cybersecurity breach or failure?
• Do you have segregated backups for all data?
• Do you segregate data for individual clients?
• How quickly can your team recover data and platform function after a security breach?
• What kind of encryption is used for both data in transit and at rest?
• How have you handled past breaches, and when was the most recent?

The above questions should be easy for a reputable vendor to answer. If they are unable to answer any of the above questions with an emphatic “yes” or provide detailed information about specific plans, you should continue with your search for a different vendor who can more effectively meet your data security needs.

However, in the end, no matter how many questions you ask and how exhaustive a vendor’s security measures may be, even the most secure systems can be vulnerable to sophisticated attacks.

Your Data Has Been Compromised. Now What?

Your EMR vendor should inform you immediately in the case of a security breach. As soon as you are aware of the breach, you should call your malpractice insurer or broker to inform them of the situation. Your insurer may want to bring in legal counsel to contact the EMR vendor and any in-house practice IT staff to uncover the source of the breach, sometimes with the help of third-party forensic analysis.

Keep in mind that just because a security incident or unauthorized access has occurred, you may not need to inform your patients. Once the forensics team gains a clear understanding of whether data has been compromised and how, your legal counsel should inform you whether the incident constitutes a breach under HIPAA compliance standards. If it does, there is an obligation to inform patients by mail with specific information and file a report with HHS. While the threat of a data breach remains a significant concern, investing in high-quality security and staff education can greatly reduce a practice’s likelihood of cyberattack. Practices should also diligently document these efforts to protect themselves against undue liability in the case of a significant breach.

If you have questions about this topic, Curi can help. Call 800-662-7917 to speak with one of their experts today and learn more about what you can do to help keep your practice safe from cybersecurity threats.

This article is for informational purposes only and is not intended to be an exhaustive list of all issues that might come into play when medical practices face a cybersecurity breach. 

Curi’s in-house attorneys cannot and do not offer legal advice to external parties including but not limited to insureds. Communication with Curi’s in-house attorneys and/or review of materials published by them does not establish an attorney-client relationship. Please contact your personal or corporate attorney if you require legal advice.