EHR security and privacy
Keith Hamilton, senior consultant, Concordant
A well-planned security program saves health care companies more than money, says Keith Hamilton.If designed properly, an electronic health records (EHR) system can produce many benefits for health care organizations. While government regulations like the Health Insurance Portability and Accountability Act (HIPAA) and other state laws require providers and payers to follow strict guidelines concerning the security of their health systems, security breaches continue to occur with minimal repercussions.
It is important to prioritize security for many reasons, but one area often not considered is cost. Cost-effective EHR system implementations are imperative, but implementing an EHR system without proper consideration of security controls can be more costly. However, in the end, loss of reputation and patient confidence will be the greatest expense.
Regardless of the industry or associated regulations, a good security program begins by addressing the fundamentals of information security – maintaining the confidentiality, integrity and availability of all systems. Creating a best practices security environment will result in a HIPAA-compliant environment.
HIPAA's security rules require that there are administrative, technical, and physical safeguards considered and put into place. Administrative safeguards address the security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation and business associate contracts and other arrangements. Technical safeguards address access controls, audit controls, integrity, person or entity authentication and transmission security. Physical safeguards address facility access control, workstation use, workstation security and device and media controls.
The security program at your organization should be initiated, supported and directed by senior management. By taking a top-down approach you can provide a solid foundation for security and emphasize how strategic security is to your organization. It's also imperative to perform a risk analysis of the environment to identify where vulnerabilities exist and the potential risk associated with them. If your organization will be using third-party vendors as part of your program, you should perform due diligence by auditing their security controls to ensure that they meet your requirements. By doing so, your organization will have a good idea of what is required to reduce the effects of threats and vulnerabilities to a reasonable level – and to determine the cost benefits of each administrative, technical and physical security control.
Remember that availability of your systems is one of the three cornerstones of an effective security program, so it is critical to address business continuity and disaster recovery as part of this process.
Make no mistake about it, all risk cannot be eliminated. Security is an ongoing iterative process that requires keeping abreast of technology changes and new threats.
Your organization should have a computer incident response team (CIRT) in place. This will better prepare you to analyze, respond to and execute escalation procedures and to perform post-implementation follow-up activities in response to any security breach or disaster event.
One area of security that is highly effective is a comprehensive security awareness training program. An effective training program, in conjunction with proper sponsorship from senior management, creates a culture of security that can lead to a self-policing work force.
As organizations are strapped for funds and resources, a well-planned security program can give them the confidence that in the event of an incident they will be well prepared and damages will be minimized.
Keith Hamilton is senior consultant with Concordant, a provider of IT services for physician organizations.