Healthcare Data Breaches

I was recently sent an Information Week article on the “Steady Bleed: State of HealthCare Data Breaches.” The article basically tries to list out all of the data breaches that are happening in healthcare and how healthcare companies aren’t doing what they need to do to protect patient data.

Now, I’ll be the first to acknowledge that more can always be done. I even agree that more can and needs to be done to protect patient information. However, I don’t agree with the article’s assertion that the use of an electronic health record (EHR) is the reason why health care providers are so poorly securing patient information.

Many of you might remember my post on EMR and EHR about HIPAA Breaches related to EMR. In that post, I discuss how it’s unfair for someone to automatically assume that if there was a breach, then it was the electronic medical record software’s fault. In the analysis I did in the above post, I found that most of the HHS list had nothing to do with EMR software. In fact, many of the HIPAA breaches were lost devices which contained lists of insurance information. EHR had nothing to do with that.

I’m not saying that breaches don’t happen with an EMR. They do. However, most of the examples given in the Information Week article could have happened just as easily in the paper world. It didn’t take an electronic health record for people to start looking up famous sports stars health information.

Maybe the real difference with an EHR is that now we can know and track who accesses each patient record. That just means that now we actually know about all the violations whereas with paper charts they’d just happen and we’d likely never know about it or have a way to prove that it happened. So, yes, the number of reported HIPAA breaches should be going up. We have more information to report on.

The good thing long term is that with an EHR we now have tracking mechanisms that allow us to hold someone accountable for their breaches of HIPAA. If this accountability is taken seriously, the number of breaches will go down. That’s a much better long term solution than the naive ignorance of not knowing about breaches in the paper chart world.

Sure not all EHR software is secure. They need to fix that and improve that. However, the numbers and reports I’ve seen don’t seem to indicate that breaching an EHR software’s security is the real problem. There are far easier ways to take patient data than trying to breach an EHR’s security system. Let’s focus on those other ways that people take patient data and punish it appropriately. That’s far more productive than saying that we’re rushing too quickly into an unsecured EHR world.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.


  • John – I totally agree with you that EMR software is not the problem or the main cause of data breaches. The main problem, in my opinion, is that Medical Practices are not putting in basic security measures to protect the most likely sources – laptops and portable devices. Basic encryption of portable devices would go a long way to protect patient data. I am disappointed that HIPAA nor HITECH require encryption of portable devices. Other precautions such as Firewalls, up to date Anti-virus / Anti-malware, ensuring that servers have proper security patches and staff training will go a long way to further protect patient data.

    All of the above precautions are fairly inexpensive and not overly technically complex. It is amazing to me that Practices are not focusing on these precautions.

  • My reading of MU includes EMR ability to encrypt data. Correct me if wrong.

    Also, if there is a 3-attempt lockout, then one only needs a 3-digit password that does not change for complete security. This has been proven in studies. The onerous rules we work with make us all write down our various passwords which obviously defeats the purpose.

  • Brian- you are correct. MU states that certified EMRs have to have the ability to store data in the database in an encrypted state. Unfortunately this does not address the issue of data outside of the EMR. Data on laptops, USB drives and email are not required to be encrypted. Portable devices continue to be the source of a majority of data breaches.

    I also agree with you that account lockout is one of the best security measures you can implement.

  • Over the years I have come to understand that the although all software has its bugs and weaknesses, the really big weakness in any system is its people. The systems which we invent to manage tools like an EHR or even anti-virus are usually defective from the start. By this I mean the governance systems that determine what steps are necessary to setup, maintain, enforce and monitor your controls over the entire life cycle of the IT system. That is where the problem really lies.
    I work at a large federal health agency in the office of the CISO. I see the breach reports. They are almost universally people problems not technical problems. And where they are technical problems, they could have been prevented by good governance of the technology.
    The other problem with EHR is not its insecurity but the level of impact that a single breach creates. In the “old days” you tended not to leave a filing cabinet in the back of your car. Anymore you could have 20 filing cabinet of medical records in your briefcase. One breach can result in 90,000 records being sent out. That was physically impossible with paper (although I have seen some pretty big snail mail breaches!)

Click here to post a comment