Commenting on reports that healthcare and IT experts warned the US Congress earlier this month about security concerns surrounding the increasing use of EHRs (electronic health records), Imperva says that media reports and research points to a lack of understanding within healthcare organisations as to why EHRs need protecting.

According to Rob Rachwald, director of security with the data security specialist, recent research from PricewaterhouseCoopers found that 64 per cent of staff working with EHR data were unaware of whether – or not – their firm had suffered a data breach within the last two years (http://bit.ly/sS0NmX).

“Perhaps worse, only 58 per cent of healthcare providers and 41 per cent of health insurers reported including appropriate EHR usage as a component of their staff privacy training,” he said.

“As I said in a recent security training posting, security training is a big deal as, without training, staff do not know how to properly handle data or, more importantly, how to respect that data,” he added.

The Imperva director of security went on to say that you wouldn’t give a gun novice a fully-loaded weapon without instructions, and similarly, you don’t give a medical or healthcare professional a few megabytes of data - and expect it to be properly protected or destroyed.

Rachwald says that, against this backdrop, it is understandable that media reports on the Washington DC lobbying of Congress last week noted that IT security professionals agreed that, if the public are to trust their healthcare records, their healthcare employers need to develop database security best practices.

These best practices, he adds, are the same basic governance principles that any organisation – and not just those handling healthcare data – needs to develop in order pass muster with the appropriate governance regulations.

But, says Rachwald, simply meeting the basic governance regulations is not the end of the story when it comes to organisation’s handling EHR data, as this simplistic approach is not going to garner the public’s trust.

“Unless healthcare organisations train their staff – and not just their IT staff – in basic aspects of security, and help them understand the reasons why this security is so essential, data breaches involving EHR and allied data will continue to hit the headlines,” he added.