Security assessments should extend beyond EHRs

November 17, 2016
Mary K. Pratt

Analysis to identify and mitigate risks should follow patient data, according to experts.

Consultant Steven D. Weinman, MBA, has seen his share of security faux pas: patient records left up on computer screens, unencrypted data sent via email, passwords written down in visible spots such as on keyboards

All these practices create the potential for data breaches, said Weinman, who works at healthcare consulting firm FQHC Associates based in Gainesville, Florida.

As he pointed out: “Security is only as strong as the weakest link.”

Doctors need to know where their weak links are: federal regulations mandate it. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to protect medical records, while the Meaningful Use program requires eligible providers to attest that they have met certain security measures.

The goal of both requirements is to have clinicians determine their security risks so they could help reduce them, said Jeremy Maxwell, PhD, senior technical advisor for security in the Office of the Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology (ONC).

“It’s having the right security technology in place, and also making sure it’s used to ensure it provides value to the organization” Maxwell said.

Picking an electronic health record (EHR) certified under Meaningful Use is just the start, he said, explaining that a certified EHR ensures the system has certain capabilities, functions and security but it’s not a full safeguard against data breaches and other cyberattacks.

So while certified EHRs have by definition certain security capabilities, Maxwell noted that physicians must ensure they’re using those capabilities fully and that they’re configured appropriately for their work processes.

As such, Maxwell and Weinman said physicians need security assessments (whether done by clinical staff, technology support personnel or outside consultants hired specifically for the task) that are thorough and consider much more than whether their EHRs are certified.

“There’s no security technology that’s going to be a silver bullet, so an organization should evaluate its environment,” said Lucia Savage, Esq., chief privacy officer with ONC.

Next: Assessing the data

 

Follow the data

An assessment should also follow the data you collect to ensure it is secure throughout the processes, Weinman said. “You might be great inside [your own practice] but you’re connected to a billing company, [for example] and that billing company may have staff located overseas,” he said.

Similarly, a security assessment should include a review of the logs that show which files were accessed by which workers, a review notifying practice leaders whether any practice employees are accessing files they shouldn’t, Weinman said.

It should also examine the technology components outside the EHR and the businesses processes throughout the practice for potential security risks... Those additional components range from determining whether the antivirus software installed is configured properly to whether ongoing training is adequate. It should also address policies, such as how frequently passwords must be changed, how often computer audits are reviewed to ensure only authorized personnel are accessing data and how non-electronic files such as faxes are handled.

Moreover, assessments should determine whether the security measures in place work best for any given practice, these experts agreed. For example, a practice with a central nurses station where nurses quickly access patients’ records through the EHR will want to have the timed-out function set for a very short timeframe, thereby shutting down any files inadvertently left up for even a few seconds after nurses move away from the computer; a physician working in an exam room for longer stretches can have a longer timed-out function and still be secure.

 

ONC and other federal organizations provide free guidance and tools for providers that include

·      https://www.healthit.gov/providers-professionals/security-risk-assessment-tool

·      http://www.hhs.gov/hipaa/for-professionals/security/guidance/

·      https://www.nist.gov/cyberframework

·      https://www.healthit.gov/buzz-blog/health-it-security/revised-hipaa-security-risk-assessment-tool/

·      https://www.healthit.gov/playbook/privacy-and-security/

Related Content:

Opinion | News | Legal | Technology