888-448-5451 [email protected]



Obamacare’s provision requiring medical providers to switch from paper records to electronic health records (EHRs) is intended to reduce costs and help patient care, but it could be happening all too quickly for the proper information security measures to be taken to avoid unwanted access to that data.

Hospitals have been working on making the switch to EHRs for some time now, but not all hospitals have the necessary resources to do so effectively and efficiently in the time frame being requested. A perfect example is Kaiser Permanate, one of the first healthcare providers to go paperless and fully electronic. The cost involved was over 1 billion dollars in 1999/2000 and it took them over 10 years to complete the transition.

By expediting the push towards EHRs, Obamacare is creating various security concerns.  As pointed out in the article ObamaCare reg on digital patient records raises security concerns, hospital executives should be aware of at least five things:


  • The timeline to transition to EHRs outpaces the privacy laws, which risks the exploit of patient information for commercial use by outside hospital entities such as pharmaceutical companies.

  • The consolidation of a large amount of patient sensitive information in one database creates a perfect target for identity thieves; especially when it’s happening faster than needed to ensure database top security measures can be implemented.

  • All it takes is one employee caused breach for hackers to gain access to a hospital’s system and inadvertently or intentionally find themselves able to access an entire set of sensitive information such as names and social security numbers.

  • Compromised patient data is much more severe than hackers gaining access to a credit card.  While with credit card fraud an individual changes their information and gets a new credit card, you can’t change your date of birth, social security number and other such personal information that would come with access to patient records.

  • Expecting hospitals to make the transition to EHRs by 2015 is an ambitious time frame and creates the potential of an increased digital divide among small and rural healthcare providers who do not have the necessary means to make the transition securely compared to a larger provider.


Based upon our research most hospitals have never conducted a security assessment and most hospitals have no method of monitoring the data security events in place. In other words, they can’t tell if they have been hacked or not.  Also to note is that HIPAA assessment is not the same as a security assessment.  Furthermore, most hospitals are community based with less than 200 beds and only one to five IT people helping with security, which makes it all the more difficult to make a safe transition to EHR in so little time and without outside assistance.

The potential of DATA Spill that comes with Obamacare’s push to EHR with hospitals having little to no security in place is something all healthcare providers should be concerned with.

What solutions are you looking to implement for the information security needs of your facility as you transition to EHRs?


Photo Courtesy of Bobjgalindo