1 min read
When are shadow records a risk to healthcare cybersecurity?
Kirsten Peremore Sep 16, 2024 6:28:02 AM
Shadow records are patient records in systems separate from the main patient record systems in healthcare organizations. These systems are often seen in a negative light due to the potential negatives they hold for patient information and medical continuity.
Understanding shadow records
Shadow records or ghost charts refer to unofficial or undocumented records created and maintained outside the formal electronic health record (EHR) systems. The records stem from gaps and inefficiencies in the official record keeping systems. These records include handwritten notes, untracked electronic documents, or data stored on the personal devices of healthcare staff. According to a Chapter from Studies in Health Technology and Informatics states that “Ghost charts are considered substandard practice in that they are presumed to compromise patient safety.”
The negative effects of shadow records
- Shadow records can hinder the creation of a complete and chronological view of a patient's medical history.
- When a shadow record is used, there is a higher risk of duplicating diagnostic tests or procedures.
- Medication lists and treatment plans might be incomplete or outdated, creating gaps in care.
- Shadow records can contribute to miscommunication among healthcare teams as information is dispersed and lacks uniformity.
- The records may not always reflect the most current patient consent or authorization statuses.
When are shadow records a risk to healthcare cybersecurity?
Shadow records are at risk for unauthorized access when the system is unsecured. Because these systems often contain protected health information (PHI), patients are then left in vulnerable positions due to inadequate protection.
The information in these shadow records oftentimes also contains information related to the organization itself which can be used by threat actors to further blackmail the organization. In more concerning cases they may use this information to launch secondary attacks aimed at larger-scale information mining.
Access to secured systems like HIPAA compliant email systems then results in the breakdown of internal systems necessary to provide patient care.
Related: HIPAA Compliant Email: The Definitive Guide
FAQs
What is PHI?
Any personal information about a person's health or medical history is protected by HIPAA.
What is a threat actor?
An individual or group that intentionally causes harm or disruption to a computer system or network.
Which forms of cyberattacks target email?
Phishing, spear phishing, ransomware, and email spoofing.