Protecting the data in electronic health records did not start with the advent of HIPAA — the Health Insurance Portability and Accountability Act of 1996 — as many people think. Protecting health records has been a critical requirement in the healthcare space since the computers became a fixture in hospitals. However, HIPAA added public reports of fines issued for covered entities’ failure to properly protect data contained within EHRs.

Many people assume that EHR data has limited value to unauthorized users. (Who cares about my blood test results, or that I just visited my dermatologist?) Understanding their value is quite simple, though. In addition to personal health information, or PHI, EHRs contain Social Security numbers, which never expire — and cybercriminal use of SSNs is not easily detected.

No Expiration Date

Stealing EHRs is better for cybercriminals than stealing credit cards, which can be used only until the card expires, is maxed out or canceled, according to a Trend Micro study released last month.

“…an EHR database containing PII that do not expire — such as Social Security numbers — can be used multiple times for malicious intent,” the study explains. “Stolen EHR can be used to acquire prescription drugs, receive medical care, falsify insurance claims, file fraudulent tax returns, open credit accounts, obtain official government-issued documents such as passports [and] driver’s licenses, and even create new identities.”

Another important statistic that helps explain why cybercriminals are attracted to EHR data is that 91 percent of the U.S. population has health insurance. It’s no wonder, then, that 113.2 million healthcare-related records were stolen in 2015, according to Trend Micro.

What About Federal Laws?

Everyone remembers signing dozens of documents before getting to see a doctor. If you were to read each document, you would find that you agreed to allow the protection of your personal health information. The U.S. Department of Health and Human Services is responsible for HIPAA oversight.

Under HIPAA, all covered entities must protect PHI in very specific ways. Healthcare providers that are covered entities include doctors, clinics, psychologists, dentists, chiropractors, nursing homes and pharmacies — but only if they transmit any information in an electronic form in connection with a transaction for which HHS has adopted a standard.

There are thousands of covered entities out there, including solo doctors, psychologists, dentists, and chiropractors, all of whom…