Security Tips for First-Time EHR UsersAdvice for Clinics Adopting Electronic Records
But what key steps should these EHR novices take to make sure that, as they adopt electronic records, patient information remains private and secure?
Experts offer a wealth of advice, but stress that a critical first step is to conduct a thorough risk assessment. Other key steps include:
- Make widespread use of encryption;
- Adopt authentication technology, especially for remote access, from day one;
- Protect paper records during the transition;
- Devote extra attention to security training.
They also advise shoppers to ask EHR vendors a long list of security questions before selecting a system.
A final rule spelling out standards for EHR software eligible for the incentive program requires specific security capabilities, including encryption and authentication.
Nevertheless, risk management expert Mac McMillan advises those shopping for an EHR system to include security specifications in their requests for proposals and ask for a demonstration of security functions before selecting a system.
Once a system is selected, McMillan, CEO at CynergisTek Inc., says clinics should ask the vendor to sign a detailed security agreement in addition to a broader business associate agreement.
Risk AssessmentsAlthough the original HIPAA security rule mandated that healthcare organizations conduct a risk assessment, many have ignored that requirement, security experts say.
But now, if clinics want to receive financial incentives from Medicare and Medicaid for using electronic health records, they must complete a risk assessment and regularly update it. A final rule that spells out how organizations must "meaningfully use" electronic health records to earn federal incentive payments includes the risk analysis requirement. But the rule stops short of requiring the use of any specific security technologies, including encryption.
Before conducting a risk assessment, a practice should complete an inventory of all the personal information that it collects, manages and shares, says Eric Nelson, privacy practice leader at the Lyndon Group.
The reason for an inventory, he says, boils down to, "How can you protect something when you don't know what you have to protect?"
The inventory should also "identify who has access to that information, determine if they need access to that information to perform their job, and if they don't, determine whether that information needs to be restricted."
Risk assessments should address key questions, Nelson says. These include:
- Does the practice have general security standards and policies in place?
- Does the practice have and maintain appropriate administrative policies and procedures related to its workforce?
- Has the practice identified and addressed potential risks as it relates to the physical environment of its data?
- Are appropriate technical controls in place to protect electronic health information and restrict unauthorized access?
- Does the practice have appropriate agreements in place with business associates with whom they share health information?
- Does the practice have written security policies and procedures that comply with the HIPAA security rule? And are those updated regularly?
While some practices seek outside help with risk assessments, others complete them on their own.
For example, Fox Prairie Medical Group in suburban Chicago conducts its own annual assessment, shutting down the practice for a "compliance meeting so everyone can get involved, says Stasia Sands-Kahn, M.D., co-founder of the three-physician practice.
EncryptionWhen it comes to protecting patient records, encryption is one of the most essential technologies, security experts say. Although the rules for the EHR stimulus program don't explicitly mandate the use of encryption, clinics should adopt the technology as they roll out EHRs, they say.
"To protect one workstation with encryption probably costs about $500," says Susan Miller, an independent attorney and security expert. This is a small investment to make when compared to the loss of reputation from an information breach, she argues. "You don't want to see your practice on the front page of the local newspaper or on the local news."
Nelson says encrypting mobile devices and media, which are particularly vulnerable, should be a top priority. "But it's also a good practice to do it on your servers and workstations as well," he adds. Plus, practices have many options for adopting secure e-mail that uses encryption, he notes.
AuthenticationPractices adopting EHRs for the first time should consider incorporating two-factor authentication technology, especially for remote access, from the start, says Jack Daniel, project lead for security services at Concordant, a consulting firm.
"If a practice is going to implement any security technology, they should bake it in from the beginning," Daniel stresses.
Authentication ensures that only those authorized to view records can gain access to them. Options range from smart cards to biometric systems, such as fingerprint or retinal scans.
Protect PaperWhen making the transition from paper to electronic records, physician practices must take adequate steps to ensure the old records are disposed of properly, Nelson stresses.
"Someone shared a story with me about coming upon a medical center about a year ago where some kids had broken into an outside storage locker where the small clinic had just stored their records and the kids had broken the locks off the door and medical records were completely strewn across the parking lot," Nelson says. "It was not done maliciously...but somebody easily could have broken in and stolen those records.
"So improper storage prior to disposal of paper records is one of the biggest threats during the transition to electronic health records."
TrainingSecurity technologies and policies will prove to be of little value unless staff members receive extensive training, security experts say. "We have to make sure that people don't make too many mistakes," Miller says.
"There are going to be a lot of vendors out there telling you what kind of technologies to use," Nelson says. "But it boils down to the people and the policies and the procedures."
(See also a companion story about key security questions to ask EHR vendors.)