Many large healthcare organizations have been securing electronic health records for years. But now, industrywide adoption will include providers of all shapes and sizes--most of which don't have chief security officers, compliance specialists, CIOs, or even full-time IT staffs.
Helping them secure their electronic records is an unprecedented challenge. The products and technologies needed are available, but the trick is in getting all providers to understand what's required, prepare physicians and staff, and tap into the appropriate expertise.
The Health Insurance Portability And Accountability Act, or HIPAA, requires that EHRs and the data in them be guarded throughout their life cycles. Risk assessments must be performed and access privileges determined. You'll need policies to secure all possible points of data leakage, including desktops, servers, databases, mobile devices, and the Internet.
In short, you must protect data at rest and in motion, and prepare for the inevitable breaches.
Creation And Use
When a patient walks into a provider's office for the first time, the terminal at reception must be hardened, hosted on a trusted network, and continually scanned for viruses and malware. Receptionists should be able to add basic patient information but have limited access to executable files.
Access privileges should be assigned that strictly regulate employees' ability to view, enter, edit, and delete data based on what they need for their jobs. For example, billing personnel don't need to see the results of the medical tests that they're charging patients for.
Attending physicians should use unique credentials to access the EHR application to record diagnoses. E-medical records must be signed with electronic signatures, which include PIN codes and are saved in encrypted files. Signatures verify that information has been reviewed every time a physician signs off on an EHR. They also let the medical staff sign off on records from any location, expediting processing, reducing workflow costs, and maintaining HIPAA compliance.
Scattering PCs and other access points throughout a facility, and especially having them in examination rooms, leaves them at risk of being tampered with. Devices should be in secure locations, or physicians should carry tablets. Portable devices bring their own risks, so have strict rules for them, and implement an inventory tracking system. A good rule of thumb: Leave data in the database.
EHR systems must log who views, adds to, and edits records, as well as when and where they do these things. This a core tenet of HIPAA and other compliance requirements. Use data-loss prevention tools to filter communications for patient privacy data such as names, Social Security numbers, and medical and financial keywords. Also, keep auditable logs on traffic and downloads, and watch for signs of policy and procedure violations.
Storage And Retrieval
Centralized digitized records provide patients with one consistent medical history, but centralization also increases the risk of compromise. The sheer size of a typical hospital database makes the potential impact of unauthorized access catastrophic. An intruder can capture thousands of medical, financial, and personally identifiable records with a single successful attack.
Evaluation techniques must be in place to determine what data to encrypt and to balance system performance goals with privacy protection. Healthcare providers should never use the services of third-party storage vendors that don't encrypt data.
Instant exchange of personal health data among hospitals, clinics, doctors' offices, labs, and other organizations improves the quality and responsiveness of patient care, while providing a wide range of remote-access capabilities that simplify workflow. But you need to know who has access to the systems through which data enters and exits. Unprotected end points give attackers the keys to the kingdom.
Business associates must agree to adhere to strict rules regarding use and disclosure of personal information. Data should be encrypted during transport, using 128-bit encryption required by the Certification Commission for Health IT, the nonprofit group that certifies EHR systems. Digital certificates also should be used to authenticate senders and recipients.
Some providers prohibit the use of personal e-mail and instant messaging altogether for sharing medical data. At a minimum, all business communications should be encrypted and the contents scanned for sensitive data.
Data shared for research purposes must have all personally identifiable information removed. Statistical software can be used to do this, but it's far from perfect. And scrubbed records can sometimes be easily re-identified despite a healthcare provider's best efforts.
Backup and recovery is another area in EHR planning where security is paramount. HIPAA requires daily off-site backup of all EHRs. Many smaller practices back up records daily on tape or disk, and transmit them by courier each night to secure locations. However, more and more practices rely on third-party online, remote services, where the data is transmitted over a secure network using encryption and stored in fault-tolerant, fully redundant servers. For large organizations, backup and recovery pro- cesses are already well defined and usually part of a larger continuity of operations plan.
Most states require physicians and hospitals to keep medical records seven to 10 years from the anniversary of a patient's last treatment and for minors, until they're 21. Rules vary from state to state and may differ from one type of healthcare provider to another. For example, some states don't require pharmacists to keep records as long as physicians. Given this, it's important to have a policy specifying how long records are retained and what constitutes proper disposal.
In the case of EHRs, simply deleting the data file isn't sufficient, since deleted information can easily be recovered from a computer's hard drive or a formatted disk. This is especially important to remember when giving away or recycling a device. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives before they're discarded or reused. Some software is more thorough than others for permanent erasure. A popular approach is the 35-pass overwrite, where 35 patterns are written over the erased area.
Another issue related to the retiring of EHRs is the question of who owns the information. Generally, the provider that creates a medical record owns it. This doesn't interfere with patients' rights to access their records or send them to other providers, because ownership and access rights are separate issues.
The policy, workflow, and technology complexities healthcare providers face make it impossible to offer blanket EHR security recommendations. A small doctor's office will have different requirements from a multipractice, distributed organization. Likewise, the size of an organization and types of services provided will affect the complexity of an implementation. Government agencies and military services have their own unique security and privacy requirements.
Still, there are some common approaches to security and privacy. The one sure way to make it all work is to establish a governance framework that defines the roles and responsibilities, policies, procedures, and accountability requirements for managing EHR security. This will go a long way in determining your specific technology requirements. The earlier you do this, the easier it will be to develop the integrated approach that best supports the EHR security requirements of your organization.
John Sankovich heads the federal healthcare IT practice at security and IT consultancy Truestone.