Using EHRs' Security CapabilitiesWill Hospitals, Physicians Take Advantage of New Functions?
The effort to certify records software as eligible for the Medicare and Medicaid incentive program, created by the HITECH Act, will begin in the months ahead. The standards for certification mandate that the software offers such security capabilities as encryption, authentication and audit logs.
"Any vendor worth their salt is going to add the functions in time to qualify," says Elise Ames, principal at HIS Professionals, which advises healthcare organizations on software selection.
A number of the larger EHR software companies are offering guarantees regarding the incentive program. "We have been offering and will continue to offer a guarantee that we will meet all the requirements for certification, including the privacy and security requirements," says a spokesman for Allscripts, which sells EHRs for both hospitals and physicians.
But some observers predict that smaller EHR companies may find it difficult to meet all the certification requirements for clinical recordkeeping as well as security capabilities.
And even some of the largest vendors could find it challenging to add certain required security capabilities, such as providing robust audit logs.
Sorting Out the RulesAlthough the final standards for certified software mandate security capabilities, the final rule describing how hospitals must "meaningfully use" EHR software to earn the incentives does not explicitly mandate the use of any specific security measures. It calls on hospitals and physicians to conduct risk assessments and use appropriate technologies to mitigate risks identified.
"The biggest issue is going to be getting people to actually use the security capabilities," says Margret Amatayakul, president of MargretA Consulting LLC, which advises organizations on EHR issues. "A lot of security features are already available in EHR software, and people turn them off or adjust them in some way. Many turn audit logging off because of fears that it impacts system performance."
Vinson Hudson, president of Jewson Enterprises, which advises physician groups, offers a similar perspective. "It's easier to pass certification standards than to actually put something into practice," he says. Although the certified EHR software that hospitals and physicians license may have all the required security capabilities, actually putting those functions to good use will prove challenging, he predicts.
That's why quizzing vendors about the security functions and then testing the security capabilities is essential, Ames says.
Hospitals and physician groups "should be asking the vendor about the security functions at every single point in the life cycle of their procurement or upgrade of an EHR," Ames says. "Ask vendors from day one to demonstrate their security capabilities and provide a system administration manual that describes how security, including encryption, is implemented."
Ames recommends that organizations buying an EHR system withhold final payment for 90 days after implementation, so they can test all functions in a real-world environment and verify that they work.
The ChallengesSome of the security capabilities for certified EHR software, such as audit logs that track "read only" access, could prove to be difficult for software vendors to add.
Many EHR databases routinely offer auditing that can track additions, deletions and updates, but some don't track read-only access, as required under the certification standards, says Kate Borten, president of The Marblehead Group, which specializes in security issues. Tracking read-only access would help identify unauthorized access, for example, by those curious about a relative or a celebrity who's being treated at a hospital or clinic.
"A lot of systems only do audit logging at the broadest level," Amatayakul adds. Some EHR software, she says, cannot pinpoint who has accessed information at the level of a specific patient's record or a specific data element, she contends.
Ames, however, believes most of the major records software vendors already offer audit log functions that meet the certification requirements. "I spent a number of years as a privacy officer at a hospital, and I was involved in several investigations where I needed to access audit logs and I could see who had opened an electronic record," she notes.
The certification standards list as "optional" a requirement that software accommodate the tracking of disclosures of patient information to those outside of the organization, including insurers. Regulators expect to issue another proposed rule spelling out disclosure requirements by year's end.
"That disclosure rule likely will require some sort of audit log that differentiates between internal records use and external disclosures," Amatayakul predicts. Providing that capability could prove tough for EHR vendors, she acknowledges.
Authentication, Access ControlCertified software must offer the ability to control access to patient records and authenticate users. But the standards don't specify what technologies must be used.
"I think that good old user name and password is going to persist as the most common offering," Ames predicts. But she expects more hospitals and clinics will demand biometric systems, such as retinal or fingerprint scans, as well as single sign-on systems to make it easier for clinicians to access records while beefing up security.
Hudson expects that interest in two-factor authentication, using biometrics or smart cards, will be greatest among larger organizations with hundreds of users.
Vendor StrategiesWhen adding security capabilities, EHR vendors' decisions about whether to seek help from niche security technology companies will depend, in large part, on their history, Ames says.
"There are some vendors that are engineering-focused," she notes. "Those companies will build every bit of code to meet the certification requirements. Other companies have a history of partnering with other vendors to get a complete product. So they'll follow what they've done in the past."
Hudson boils it down to this: "The major companies will partner with anybody who can help them make a sale."