EHR Security: Lessons From a PioneerWhy a Practice Updated Risk Assessment, Expanded Encryption
For example, Compass Medical, a practice with about 60 physicians at 10 clinics in southeastern Massachusetts, has conducted three risk assessments since rolling out its EHR system, GE Centricity, in 2004, says Jamie Barber, CEO. As it has expanded its use of EHRs, the practice has:
- Broadened its use of encryption;
- Implemented single sign-on;
- Made extensive use of thin clients to help minimize security risks;
- Developed a virtual private network for remote access;
- Introduced proximity badges to improve physical security.
Next on tap for the practice is implementation of biometrics -- fingerprint scanners -- for authentication.
Risk Analysis EssentialLike many physician group practices, Compass will apply for EHR incentive payments under the HITECH Act, hoping to earn the maximum $44,000 per physician from Medicare, Barber says.
His main security advice for others just getting started down the road toward installing an EHR: A thorough, and frequently updated, risk analysis is essential, because it helps identify risks, which then can be addressed.
Compass hired the consulting firm Concordant to complete its latest assessment this year. Among other things, that assessment pointed to the need for additional physical security, which led to the expanded use of proximity badges. Getting outside help with a risk assessment, Barber says, "gives us some peace of mind" that security is adequately addressed.
HITECH Act ConsiderationsTo qualify for Medicare and Medicaid incentive payments under the HITECH Act, group practices and hospitals alike must conduct a risk assessment. But HIPAA already included the requirement for such an assessment, although many physician groups "probably haven't done it as formally as they should," says Margret Amatayakul, president of MargretA Consulting.
"When you introduce an electronic health records system, you're introducing a mission-critical system ... and creating greater risk," Amatayakul stresses. That's why clinics must complete a well-documented, updated risk assessment before rolling out EHRs.
She advises smaller practices with limited resources to read a risk assessment document on the website of the Department of Health and Human Services' Office of the National Coordinator for Health IT. The risk analysis report is a useful resource that not only addresses maintaining the confidentiality of patient information but also maintaining data integrity and availability, two key considerations, Amatayakul says.
The Role of EncryptionCompass has recently ramped up its use of encryption to help improve security and comply with the HITECH Act, which increases penalties for violating the HIPAA privacy and security rules and requires the reporting of major health information breaches.
Network connectivity from each clinic to a central data center is through an encrypted tunnel, and each site has an encrypted wireless network, says Robert Clairmont, director of IT. All laptops and tablets are encrypted. And the organization uses centrally managed hard drive encryption.
In addition, Compass makes extensive use of thin clients tied to a Citrix network so that most clinical information resides on servers, where it's more secure, Clairmont explains. It also generally does not allow storage of clinical information on laptops, tablets or other devices with hard drives. "But we encrypt them anyway," he adds.
"One of our goals is to offer our providers whatever hardware options they prefer," says Barber, the CEO. "Our younger providers like laptops and tablets; our older providers like desktop thin clients. As long as they're all secure, we're happy to provide them."
Encryption as Breach PreventerA majority of the major health information breaches reported to the HHS Office for Civil Rights so far have involved unencrypted computer devices and media. The HITECH Act breach notification rule contains a safe harbor that exempts organizations from reporting breaches if the data involved was properly encrypted.
As a result, Amatayakul says, "Laptops should be encrypted and portable media should be encrypted, including CDs given to patients." In addition, group practices should limit the amount of clinical information stored on laptops and other portable devices to minimize risk, she says.
"Encryption utilities are a lot easier to use these days," she adds. "They are coming embedded in new operating systems that are the platforms for electronic health records."
User AuthenticationCompass implemented a virtual private network to enable physicians to remotely access certain clinical information. The network uses technology that scans the physicians' company-provided encrypted laptops to make sure all virus patches are up to date and no viruses are present and then provides role-based access to specific systems, Clairmont says.
For remote access, user authentication is accomplished with user name and password, with a three-strike limit on inputting the wrong credentials. Compass is investigating several options to create two-factor authentication for remote access to beef up security, Clairmont says.
As for authentication inside the clinics, Compass soon will pair fingerprint scanners with a single sign-on system that's already in place.
This combination of technologies will help the clinics comply with the HITECH Act by making sure only those who are authorized can access patient data, Barber says. Plus, it will make it easier for the doctors to authenticate themselves. "Physicians don't want to be delayed with signing on," the CEO adds.
Because its latest risk assessment identified the need to beef up physical security at the clinics, Compass is expanding its use of proximity badges used to access specific protected areas, such as rooms with specialized equipment.
And as it implements a patient portal in the months ahead, Compass will be creating privacy and security policies regarding using the portal to communicate with patients.