As the healthcare industry continues to undergo changes, more tools are being used to create operating efficiencies and coordinate better care for patients. For physicians, hospitals, administrators and healthcare IT administrators, it is essential that the privacy and safety of electronic health records (EHR) remain a high priority.
Security of EHR is crucial for building trust with patients and increasing their willingness to disclose pertinent information, which helps improve the delivery of healthcare services.
To mitigate the actual and perceived risks associated with electronic health information, providers have the primary responsibility to take steps necessary to protect the confidentiality, integrity, and availability of health information.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) makes healthcare providers legally accountable for the privacy and security of a patient's personal health information (PHI).
Here are some “Do's and Don'ts” for improving your healthcare IT security.
1. Develop a Risk Analysis & Action Plan
The healthIT.gov website recommends that healthcare providers conduct a security risk assessment and develop an action plan to protect patient health information. The purpose of the evaluation is to identify where the high priority threats and weaknesses are in your current IT security framework.
After completing the risk analysis, discuss the findings and use the information gleaned to formulate an action plan to mitigate the risks and vulnerabilities identified in the assessment. The plan should include the following five areas:
- Administrative,
- Physical,
- Technical safeguards,
- Policies and procedures, and
- Organizational standards.
Be sure to include your IT vendors in your assessment, analysis and planning.
2. Access Controls
Go beyond traditional password and pin number to implement a “Role-based” access control system. This will allow you to specifically define access privileges for each person on your staff. This method ensures that only persons authorized can view patients’ health information.
Limit the type of data available to administrative staff to basic demographics, such as name, address, and date of birth. Limit the ability to grant access privileges for administrative staff to your IT security manager, office manager or practice leadership.
3. Audit Trails
The purpose of an audit trail is to document and track activities within the EHR system. For example, an audit trail documents a user logging in and out of the system, opening, changing, creating or deleting a record, scheduling patient appointment, querying for information or printing records. It also time-stamps an event with date and time.
Remember, only authorized persons should have access to read patient records. No one should have the authority to modify or delete an audit trail.
4. Password Protection
To gain access to the EHR, the user must have a unique password. The IT should have the ability to define the rules for creating passwords, including complexity and expiration. The administrator may require the password to consist of 8 characters that must include one number, two capital letters, (*, &, $, %) and make it a requirement for users to create a new password every 90 days.
The EHR system should automatically log out users after a specified period of inactivity. If users enter a wrong pass word multiple times, as determined in the rules, the system should automatically lock the user out.
For sample password policies recommended by CISSP Certified security professionals, email Netgain's Security team.
5. Health Care Data Encryption
Encrypting patient information protects against an unauthorized person being able to read personal health data. Encryption also provides safeguards against hackers and other individuals with malevolent motives. In addition, encryption of EHR enhances your confidence that you will not be susceptible to breaches that will lead to HIPAA infractions and heavy fines.
Image via Perspec_photo88