Peer Review Form
Complete the form by inserting your answers and suggestions in the right column. (The column expands as you write.)
Peer Review Questions
Your Suggestions, Comments, Encouragements
1.
Is the title original? Is the title relevant to the paper content?
2.
Does the opening paragraph catch your attention? Does the opening paragraph lead smoothly into the thesis?
3.
Is the thesis statement clear and effective? Does the thesis statement accurately capture the overall message of the paper?
4.
Does the paper flow well, following your outline. Are there smooth transitions between paragraphs? Is the content organized in a logical way that allows for development of ideas?
5.
What mechanical problems do you find? (Spelling, Grammar, Wording, Sentence structure, etc.)
6.
Is the content relevant to the topic? Does the content support the thesis of the paper?
7.
Does the conclusion effectively summarize the content?
8.
Is the paper formatted using proper APA standards (title page, page numbers, etc.)?
9.
Are references relevant and credible? Are references listed in proper APA format in a References Page?
10.
What further research might help to add more depth to the paper?
Rough Draft/ Electronic Health Records: Are the Benefits Worth the Risk?
Teresa Sly
Rasmussen College
Author Note
This paper is
being submitted
on November 15, 2016, for Holli Rich’s GEB 3110 Research and Report Writing course.
Rough Draft
Electronic Health Records: Are the Benefits Worth the Risk?
On February 17, 2009, President Obama signed into law a $789 billion dollar economic stimulus package, formally known as the American Recovery and Reinvestment Act, or
ARRA
. Included in
ARRA
legislation is the Health Information Technology for Economic and Clinical Health (
HITECH
)
Act.
The HITECH
Act
set aside 27 billion for an incentive program that encourages hospitals to adopt electronic health records. Billions more were allocated to help train health information technology workers and assist hospitals and providers to adopt these systems. To gain these incentives providers of health care
are required to show that they have achieved "meaningful use" of that system
regarding
improving quality. At a minimum, that will mean having systems capable of e-prescribing, reporting quality data, and exchanging data among providers
("ARRA Hitech," n.d.)
.
I believe that in its haste to adopt electronic health records and gain lucrative incentives, the health care industry has overlooked serious security issues. According
to an
article entitled
.
“Safety and Privacy in Electronic Health Records,” in The Journal of Biomedical Informatics, the authors state
“there has been little activity in policy development involving the numerous security and privacy issues related to electronic health records.” Moreover, the advances in Information and Communications Technologies have led to a situation in which patients’ health dat.
APM Welcome, APM North West Network Conference, Synergies Across Sectors
Peer Review FormComplete the form by inserting your answer.docx
1. Peer Review Form
Complete the form by inserting your answers and suggestions in
the right column. (The column expands as you write.)
Peer Review Questions
Your Suggestions, Comments, Encouragements
1.
Is the title original? Is the title relevant to the paper content?
2.
Does the opening paragraph catch your attention? Does the
opening paragraph lead smoothly into the thesis?
3.
Is the thesis statement clear and effective? Does the thesis
statement accurately capture the overall message of the paper?
4.
Does the paper flow well, following your outline. Are there
smooth transitions between paragraphs? Is the content organized
in a logical way that allows for development of ideas?
5.
What mechanical problems do you find? (Spelling, Grammar,
2. Wording, Sentence structure, etc.)
6.
Is the content relevant to the topic? Does the content support
the thesis of the paper?
7.
Does the conclusion effectively summarize the content?
8.
Is the paper formatted using proper APA standards (title page,
page numbers, etc.)?
9.
Are references relevant and credible? Are references listed in
proper APA format in a References Page?
10.
What further research might help to add more depth to the
paper?
Rough Draft/ Electronic Health Records: Are the Benefits
Worth the Risk?
Teresa Sly
3. Rasmussen College
Author Note
This paper is
being submitted
on November 15, 2016, for Holli Rich’s GEB 3110 Research
and Report Writing course.
Rough Draft
Electronic Health Records: Are the Benefits Worth the Risk?
On February 17, 2009, President Obama signed into law a $789
billion dollar economic stimulus package, formally known as
the American Recovery and Reinvestment Act, or
ARRA
. Included in
ARRA
legislation is the Health Information Technology for Economic
and Clinical Health (
HITECH
)
Act.
The HITECH
Act
4. set aside 27 billion for an incentive program that encourages
hospitals to adopt electronic health records. Billions more were
allocated to help train health information technology workers
and assist hospitals and providers to adopt these systems. To
gain these incentives providers of health care
are required to show that they have achieved "meaningful use"
of that system
regarding
improving quality. At a minimum, that will mean having
systems capable of e-prescribing, reporting quality data, and
exchanging data among providers
("ARRA Hitech," n.d.)
.
I believe that in its haste to adopt electronic health records and
gain lucrative incentives, the health care industry has
overlooked serious security issues. According
to an
article entitled
.
“Safety and Privacy in Electronic Health Records,” in The
Journal of Biomedical Informatics, the authors state
“there has been little activity in policy development involving
the numerous security and privacy issues related to electronic
health records.” Moreover, the advances in Information and
Communications Technologies have led to a situation in which
patients’ health data are confronting new security and privacy
threats
(Fernandez Aleman, 2013, pp.
541-562).
The above and following information supports both my
hypothesis, electronic health records have many vulnerabilities
and shortcomings in regards to protection of patient health
5. information, and my thesis statement, although electronic health
records have many benefits, electronic health records are
vulnerable to hackers who can steal our personal data for
criminal gain.
I believe the risks outweigh the benefits.
According to Richard Clark, former Whitehouse Security Czar,
in his address to the Healthcare IT News- Privacy and Security
Forum, the year 2015 was among the worst in
cyber security
across the healthcare sector.
On average, companies that suffered a breach did not know it
for 270 days, and some had
been breached
for seven years without knowing it. In a direct quote
from
Mr.
Clark's
speech he states “You guys know it, Healthcare IT security:
you have a bad reputation. “When it gets down to healthcare
there's always a little chuckle about how bad they (EHR
security systems) are We can't put that in a closet and pretend
it's not true (Sullivan,
2015).
" This quote
leads
me to believe that experts in the health care IT field are very
aware of the shortcomings in the security of EHR’s
In a personal interview with Candace Fenske Administrator of
the Madelia Community Hospital and Clinic on October 25,
2016, I learned that the facility has adopted and uses electronic
patient records.
6. The providers at the facility routinely use the system to order
medications, retrieve lab results, send and receive data from
affiliated providers, and use computerized physician order
entry. I told her that the focus of my questions would be the
possible repercussions of a breach of patient data by
unauthorized individuals. Ms. Fenske stated that
to her knowledge
this has
not occurred at the facility, but if it did, the
foremost
repercussion would be a loss of patient trust in the provider.
“In a small independent rural hospital, patient confidence in the
staff and the facility is critical.” “There would, of course, be
fines to the
organization
from the resulting HIPAA violations, but again, the loss of trust
would be the most devastating consequence.” If patients do not
believe
that we can keep their personal information private, they will
not continue to receive their healthcare here.” When asked if
she
believes
that in its rush digitize our personal health information, the
healthcare industry overlooked
necessary
security measures; Ms. Fenske stated, “There are certainly
incentives in place for healthcare organizations to adopt
electronic records, and possible fines for those that don’t adopt
them. For a hospital to remain competitive it becomes
necessary, and yes, with the way technology is advancing, there
will always be new cyber threats, and the health care industry
has been somewhat naïve about that.” I presented Ms. Fenske
with the following data:
Based on
data collected by the Health and Human Services Office for
7. Civil Rights, as of February 1, 2016, protected health
information breaches affected over 113 million individuals in
2015. In 2015, hacking incidents comprised nearly 99% of all
people
affected by
breaches
, and the number of reported hacking incidents, comprised over
20% of all reported breaches ("Office of the National," 2016).
“
O
ne overarching finding of our research is that the industry
focuses almost exclusively on the protection of patient health
records, and rarely addresses threats to or the protection of
patient health from a cyber threat perspective (Ponemon, 2016).
“We found
egregious
business shortcomings in every hospital, including insufficient
funding, insufficient staffing,
inadequate
training, lack of policy, lack of network awareness and
much
more. These vulnerabilities are a result of systemic business
failures
(Harrington, 2016).”
“These breaches will keep happening because the healthcare
industry has built so many systems with thousands of weak
links,” said Dr. Deborah Peel, founder of Patient Privacy Rights
in Austin, Texas (Terhune, 2015).
I found her response to the data surprising. She stated, “I don’t
find that hard to believe,” but the incidents are probably higher
than that, as this is a subject that health care organizations are
very reluctant to talk about.” While I saw no intention on Ms.
Fenske’s part to be deceptive, I felt that this was certainly a
8. sensitive issue in the health care industry as a whole.
Our interview concluded shortly after that.
(C. Fenske, personal communication, October 25, 2016).
While there is no real way to know what particular breaches of
sensitive patient health information have gone unreported, those
that have, are staggering.
The United States Department of Health and Human Services
Office of Civil Rights is required by the Health Information
Technology for Economic and Clinical Health (
HITECH
) Act, to publish a list of breaches of unsecured protected health
information affecting 500 or more individuals. The published
list must include the names of the private practice providers
who have reported the breaches.
The list goes back to 2009, and contains 1718 individual
entries and contains 18 pages with the last entry on 10/21/2016
(
United States
, 2016, pp. 1-18).
I believe this, and the
information
preceding it, support my thesis statement.
The sheer amount of compromised health information is
staggering; due to that fact I will focus my data on those
incidents that involve hacking of health information from
outside
sources.
The following statistics also support my thesis.
9. Sixty-eight percent of Americans state that they are not
confident that their healthcare providers will protect their
medical records from loss or theft. Fifty percent of Americans
also report that they would lose trust in their provider if it has
been proven that they are negligent in the breach of their
personal health information (
Fifth Annual
, 2015).
According to The Bitglass Healthcare Breach report “Last year
in the United
States,
more than 113 million individuals’ had their personal health
information breached
due to a hack or IT incident.”
The majority of healthcare records leaked (98 percent) in 2015
were compromised
due to large-scale
cyber attacks
. In 2015, there were 56 breaches due to hacking or IT
incidents, compared to 31 in 2014.CEO of Bitglass Nat Kausik
States
, The 80 percent increase in data breach hacks in 2015 makes it
clear that hackers are targeting healthcare with large-scale
attacks affecting one in three Americans.
"As the IT revolution compounds the problem with real-time
patient data, healthcare organizations must embrace innovative
data security technologies to meet
security
and compliance requirements."(Pallardy,2016).
The Health and Human Services Office for Civil Rights also
10. reports that as of February 1, 2016, protected health information
breaches affected 113 million individuals in 2015.
Hacking incidents comprised nearly 99% of all persons affected
by breaches, and the number of reported hacking incidents, 57,
comprised over 20% of all reported breaches ("HHS/OCR
Breach," 2016).
The five data breaches that affected the most individuals in
2015 as reported by the Health and Human Services Office of
Civil Right breach notification portal are as follows:
Anthem: 78.8 million
individuals
affected
In February 2015, Indianapolis-based insurance payer Anthem
reported its network had
been hacked
. The organization learned of the attack in late January when a
systems administrator noticed a database query using his
identifier code was running, but he had not initiated the query.
Premera Blue Cross: 11 million individuals affected
On Jan. 29, Washington.-based Premera Blue Cross learned of a
cyber attack
on its IT systems. The insurance payer notified the public in
March, indicating the hack affected 11 million customers,
employees, and
business affiliates.
Excellus Health Plan: 10 million individuals affected
New York-based Excellus Health Plan reported a
11. cyber attack
in September affecting 10 million records. The
payer
learned of the
attack
in August, and an investigation revealed the cyber attackers
initially accessed the payer's IT systems in December 2013. The
breach affects members with Excellus plans and other Blue
Cross Blue Shield plan members who sought treatment in
Excellus' upstate New York service area.
UCLA Health: 4.5 million individuals affected
The protected health information of nearly 4.5 million people
was compromised at UCLA Health when hackers launched a
cyber-attack
on the health system's network. The health system learned of
the
attack
May 5 and reported it in July. The initial investigation into the
attack suggests the cyber attacker had access to the IT system
since September 2014.
Medical Informatics Engineering: 3.9 million individuals
affected
The medical software company based in Indiana, Ind., was
hacked on May 7 and affected 3.9 million
individuals
nationwide. The company detected the
cyber attack
May 26 and reported it June 10 (Jayanthi, 2015).
The HHS OCR breach portal is required by section 13402 of the
HITECH Act to post a list of breaches of unsecured protected
health information affecting 500 or more individuals. There are
currently 11727 entries beginning on October 21,
12. 2009,
and ending on October 26, 2016. I have focused on only those
breaches that involved hacking from outside sources in the year
2016. Those
breaches
totaled four million
one hundred
and four thousand and
ninety-five
incidents ("HIPAA for Professionals," n.d).
To solve some of the security issues involved in the use of
EHR’s
, Steve Manzuik, Director of Security Research at Duo Security
offers these suggestions for health care facilities to prevent
hacking of patient records. He first suggests updating Java and
Flash software often used for e-prescribing, as older versions of
these programs have vulnerabilities that hackers can exploit.
Manzuik also
recommends
updating devices, browsers, and operating systems. Hackers
can easily exploit flaws in an outdated operating system to gain
unauthorized
access to networks
. He also urges health care facilities to
speak to employees and stakeholders about using strong, unique
passwords.
Using
two-factor
authentication
will also add another layer of security to your electronic
records.
Two-factor
authentication is a process in which not only a user name and
13. password
are required
, but also a second password is
known
only to
each
user is needed to access the records. Employees should
be cautioned to refrain from opening links or attachments from
unknown sources., and lastly, Manzuik suggests that every
facility regularly backs up important files
(Manzuik,
2016).
Many solutions have been offered to solve security issues
related to the adoption
of electronic
health records, and many like those above, are simple. But the
sheer volume
of people, especially in a large interconnected organization,
accessing personal health information on a daily basis could
make even simple security measures difficult.
I believe that the
preceding
evidence supports my thesis statement that although electronic
health
records have many benefits, electronic
health
records are vulnerable to hackers who can steal our personal
information for criminal gain. I believe the risks outweigh the
benefits.
For
our personal health information to remain secure, the
health care
industry would have
14. to continuously upgrade their systems, and provide ongoing
training to employees. This, added to the initially significant
expense of implementing the system, makes EHR’s incredibly
expensive, especially for smaller practices and those not
eligible for government incentives. In 2016 ABC Action News
report,
security experts state “for health care, getting hacked is a
matter of when, not if
(Paluska,
2016). “Do health care organizations now have to add litigation
expenses to the already mounting costs of EHR’S? Until the
obvious security concerns related to electronic health records
can be resolved, I will continue to believe that the risks of
EHR’s outweigh the benefits.
15. References
ARRA hitech act faq's. (n.d.). Retrieved November 17, 2016,
from
http://www.arrahitechsolutions.com/ARRA_HITECH_Act_FAQ
_s.html
Fernandez Aleman, J. L. (2013). Security and privacy in
electronic health records: A systematic literature review.
The Journal of Biomedical Informatics
,
46
(3), 541-562. http://dx.doi.org/10.1016/j.jbi.2012.12.003
Fifth annual study on medical identity theft
. (2015, February). Retrieved from http://medidfraud.org/wp-
content/uploads/2015/02/2014_Medical_ID_Theft_Study1.pdf
Harrington, T. (2016, February 23). Hacking hospitals.
Retrieved from https://securityevaluators.com/hospitalhack/
HHS/OCR breach portal. (2016, October 26). Retrieved from
U.S. Department of Health and Human Services (HHS) Office
for Civil Rights. Breaches Affecting 500 or More Individuals
database.
HIPAA for professionals breach notification. (n.d.). Retrieved
from http://www.hhs.gov/hipaa/for-professionals/breach-
notification/
Jayanthi, A. (2015, December 14). The five biggest health care
breaches of 2015. Retrieved from
http://www.beckershospitalreview.com/healthcare-information-
16. technology/5-biggest-healthcare-data-breaches-of-2015.html
Manzuik, S. (2016, May 26). How hospitals are getting hacked
and how you can prevent it from happening to you. Retrieved
from ttp://www.healthitoutcomes.com/doc/how-hospitals-are-
getting-hacked-and-how-to-prevent-it-from-happening-to-you-
0001
Pallardy, C. (2016, January 27). Large scale cyber-attacks
account for 98% of breached health records. Retrieved
November 5, 2016, from
http://www.healthit.myindustrytracker.com/en/article/126184/la
rge-scale-cyberattacks-account-for-98-of-breached-health-
records
Paluska, M. (2016, March 28). Security expert: Getting hacked
is a matter of when not if. Retrieved from
http://www.abcactionnews.com/news/security-expert-getting-
hacked-a-matter-of-when-not-if
Ponemon, L. (2016). Securing hospitals. Retrieved from
https://www.securityevaluators.com/hospitalhack/securing_hosp
itals
Sullivan, T. (2015, December 1). 7 cyber threats worse than PHI
breaches. Retrieved from
http://www.healthcareitnews.com/news/7-cyber-threats-other-
phi-or-pii-breaches
Terhune, C. (2015, July 17). UCLA data breach affects 4.5
million patients. Retrieved from Los Angeles Times website:
http://www.latimes.com/business/la-fi-ucla-medical-data-
20150717-story.html