Electronic PHI (ePHI) may exist in your practice in a variety of systems, including Electronic Health Records (EHRs). Because all electronic systems are vulnerable to cyber-attacks, you must consider all of your practice’s systems and technologies when conducting security efforts.


While a discussion of ePHI security goes far beyond EHRs, visit Chapter 4 of the Guide [PDF - 275 KB] to learn more about EHR security and cybersecurity.



What is an electronic health record (EHR)?

Electronic Health Records: The Basics


An electronic health record (EHR) is a digital version of a patient’s paper chart. EHRs are real-time, patient-centered records that make information available instantly and securely to authorized users. While an EHR does contain the medical and treatment histories of patients, an EHR system is built to go beyond standard clinical data collected in a provider’s office and can be inclusive of a broader view of a patient’s care. EHRs can:


  • Contain a patient’s medical history, diagnoses, medications, treatment plans, immunization dates, allergies, radiology images, and laboratory and test results

  • Allow access to evidence-based tools that providers can use to make decisions about a patient’s care

  • Automate and streamline provider workflow


One of the key features of an EHR is that health information can be created and managed by authorized providers in a digital format capable of being shared with other providers across more than one health care organization. EHRs are built to share information with other health care providers and organizations – such as laboratories, specialists, medical imaging facilities, pharmacies, emergency facilities, and school and workplace clinics – so they contain information from all clinicians involved in a patient’s care.


For More Information

For more information on EHR systems, see the following resources.



Cybersecurity: A Shared Responsibility


Cybersecurity refers to ways to prevent, detect, and respond to attacks or unauthorized access against a computer system and its information.


While cybersecurity is keenly important for health care data and information systems, its importance touches all U.S. critical infrastructure. Sectors like energy, finance, public transit, and defense rely on cybersecurity to protect them from attack and disruption.


Because cybersecurity affects all of us, cybersecurity is a shared responsibility. The U.S. Government provides resources to equip all sectors to engage in the shared effort. One of these resources is the National Institute for Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity (also known as the Cybersecurity Framework).


Cybersecurity Framework


On February 12, 2013, President Obama issued Executive Order 13636 [PDF - 332 KB] “Improving Critical Infrastructure Cybersecurity.” The order called for the development of a Cybersecurity Framework that organizations can use to help reduce and manage their cybersecurity risks.


As a result, NIST published a Framework for Improving Critical Infrastructure Cybersecurity. In its own words, “The Framework enables organizations — regardless of size, degree of cybersecurity risk, or cybersecurity sophistication — to apply the principles and best practices of risk management” to make critical infrastructure more secure.

The Framework is flexible by design. It allows organizations to apply the Framework in their own context, including that of health care.


Cybersecurity Resources for the Health Care Sector


In parallel with the Framework, the Office of the National Coordinator for Health Information Technology (ONC) continues to develop educational resources around health care cybersecurity and risk management. A few examples include:




The HIPAA Privacy Rule establishes national standards for giving patients the right to access and request amendment of their Protected Health Information (PHI) as well as requesting restrictions on the use or disclosure of such information. The HIPAA Security Rule establishes a national set of security standards for the confidentiality, integrity, and availability of electronic protected health information. The HIPAA Privacy and Security Rules apply to covered entities. Covered entities include health care providers and professionals such as doctors, nurses, psychologists, dentists, and chiropractors. Individuals and organizations that meet the definition of a covered entity and who transmit health information in electronic form in connection with certain transactions must comply with the Rules' requirements to protect the privacy and security of health information. For more information about the HIPAA Privacy and Security Rules, visit the HHS Office for Civil Rights Health Information Privacy website.


The Cybersecurity webpage content Trojan Horse Security provides, is provided for informational purposes only and does not guarantee compliance with federal or state laws. The information and tips presented may not be applicable or appropriate for all health care providers and professionals. We encourage providers, professionals, and organizations to seek expert advice when evaluating these materials. The Cybersecurity webpage content is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. It is also not intended to serve as legal advice or offer recommendations based on a provider’s or professional’s specific circumstances.