Security Insights for Physician Groups
Miller, an independent attorney and consultant, advises practices to take advantage of two documents for help with creating risk assessments and complying with the HIPAA privacy and security rules. These include a "Small Practice Implementation White Paper" from the Workgroup for Electronic Data Interchange and a similar document from the National Institute of Standards and Technology.
She also advises physician groups to: Ask EHR vendors tough questions about their compliance with the HIPAA privacy and security rules; encrypt patient information on mobile devices, workstations and servers; adopt two-factor authentication when implementing EHRs; and make sure the EHR they select has good audit functions to aid in detecting breaches.
Miller, who has 35 years of experience, has been active in many initiatives at WEDI, a not-for-profit organization that focuses on improving the administrative efficiency, quality and cost-effectiveness of healthcare through the implementation of electronic record-keeping and information exchange. She currently serves as co-chair of the WEDI Security and Privacy Workgroup.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We're talking today with Susan Miller, an independent attorney and consultant. She's been at the forefront of healthcare security and privacy issues for many years. She currently serves as co-chair of the WEDI Security and Privacy Workgroup. Thanks so much for joining us today, Susan.
SUSAN MILLER: Well, thank you for having me.
ANDERSON: Many group practices are preparing to implement electronic health records and hoping to receive federal financial incentives under the HITECH Act to help pay for some of the costs. At what point should they conduct a risk assessment to help develop a security policy for the new EHR system? And what are the essential components of such an assessment, especially for a smaller practice?
MILLER: Well, Howard, I would say that they need to do it now. They have to be on top of it before they actually talk to a vendor or if they're going to ask their vendor for additional functionality so that they can get the incentives. So I suggest they go to two places. There's a WEDI small practice white paper written a number of years ago for small practices for privacy and security, and it has a short list of privacy and security assessments. And the things that they suggest within this document are, of course, policies and procedures and good training, but they also suggest an inventory of the computer systems and software within an office, regular virus checks, and a mitigation program...to use if there's something wrong, like a virus gets in there. You need a plan for disaster recovery in any office -- for systems failure or something worse than that. And they also suggest in that paper specific protection for e-mail communication. These are foundational steps that I think you need to take if you're going to do a risk analysis.
The second place I would look would be in the NIST special publications 800 series document 66 which is dedicated specifically to HIPAA security. The HIPAA security and privacy rules are the foundation of what you need in the EHR, and they have some suggestions for risk assessments. One of the things to address is what are your current plans for security controls? The interesting thing that they suggest that you need to look at, that you wouldn't ordinarily think about for security, is whether your region is prone to natural disasters such as an earthquake, a flood or, in my part of the world, ice on the lines over the winter?
ANDERSON: So how often should the risk assessment be updated once you've got one?
MILLER: You should update it when you have a problem or when things change. If you had something go wrong with the system, like it crashed for some reason, maybe you need to do a part of a risk assessment dedicated to why your system crashed. And if you change things within your organization, say you've asked somebody else to come and join you as a partner...you would do a different risk assessment. When you upgrade your electronic tools, potentially you'll do a revised risk assessment. If you actually move your location, you might do a new risk assessment because part of your risk assessment is whether your building itself secure. So those are the kinds of areas that you need to consider when deciding when to do an updated risk assessment.
ANDERSON: Physician groups of all sizes are shopping for electronic health records systems. What questions should they ask vendors about privacy and security issues, and should those questions be different depending on whether the practice hosts its own system or accesses it remotely via cloud computing?
MILLER: The baseline for anything is the HIPAA privacy and security requirements and the new updates to that that are in the HITECH Act and the regulations that are coming out. So those are the kinds of questions you need to ask. And the kinds of questions you need to ask for cloud computing...are the same kinds of questions that you would ask under any circumstance. Who has access to this data? Who can get their hands on the data? And the other thing is, you need to be able to audit who touches the data. So under any circumstances, whether it's in the cloud or it is in any other kind of electronic system, you need to know the authentication rules and the access rules and the audit rules. Those things are very important.
ANDERSON: Should all group practices implementing EHRs use encryption, and should they use it mainly for mobile devices or workstations and servers and e-mail as well?
MILLER: The answer is yes, yes, yes, yes. In today's world, the cost of protecting your system and doing the training is small compared to the loss of reputation and money. This is true for even a small provider. To protect one workstation with encryption that you then have to train your staff on is probably $500. The loss of your reputation is much, much worse. You don't want to see yourself on the front page of your local newspaper or on your six o'clock local news. So I think that you should have encryption on all levels....
I think it's good to have even your data at rest encrypted so that somebody walking through your practice, like your accountant, cannot turn on your system and get to the data.
ANDERSON: Should practices consider using two-factor authentication for clinicians in the early months of EHRs?
MILLER: ....Two-factor authentication is becoming quite simple because of the use of swipe cards. So you pull up the screen, you put in your password, you put in your ID and you swipe your card and it says, "This is Sue Miller authenticated to get onto to this system." So yes, I think two-factor authentication should be necessary at the beginning because this is very special data.
ANDERSON: So what other security technologies and strategies should group practices consider?
MILLER: Well, I think one that's going to help enormously is one that's come along under the HITECH Act and that's breach notification. I think everybody is going to have to deal with breaches and breach notification, and I would think that a good EHR system would help you do the auditing on that so that you could find the breaches right away...by alerting you to those kinds of things. And of course, we have the basics that go along with any kind of system that people operate and that would be training and more training and more training and of course, good policies and procedures.
ANDERSON: Is there any other advice you'd offer to your practices regarding steps they can take to ensure the security of the records in their systems?
MILLER: We have to make sure that people don't make too many mistakes. So your greatest strength is your people, and sometimes your greatest weakness is your people. For instance, you can train people on HIPAA privacy and security.... But do you still have a yellow sticky note with your password on it? Do three of you use the same password?
I suggest you have some sort of a positive way to report issues so that it's not a negative to report and the person who's reported or the activity that's reported is also not found as negative until there's a full investigation. If somebody sees what they think is a mistake, they have the ability then to go talk to the office manager or the clinician and say, "I think something's wrong." And nobody gets into trouble to begin with because they're taught that we want to find the mistakes. We want to fill the holes.
ANDERSON: Well, thank you very much. We've been talking today with Susan Miller. This is Howard Anderson with Information Security Media Group. Thanks so much for listening.