Security assessments should extend beyond EHRs
Consultant Steven D. Weinman, MBA, has seen his share of security faux pas: patient records left up on computer screens, unencrypted data sent via email, passwords written down in visible spots such as on keyboards
All these practices create the potential for data breaches, said Weinman, who works at healthcare consulting firm FQHC Associates based in Gainesville, Florida.
As he pointed out: “Security is only as strong as the weakest link.”
Doctors need to know where their weak links are: federal regulations mandate it. The Health Insurance Portability and Accountability Act (HIPAA) requires medical providers to protect medical records, while the Meaningful Use program requires eligible providers to attest that they have met certain security measures.
The goal of both requirements is to have clinicians determine their security risks so they could help reduce them, said Jeremy Maxwell, PhD, senior technical advisor for security in the Office of the Chief Privacy Officer for the Office of the National Coordinator for Health Information Technology (ONC).
“It’s having the right security technology in place, and also making sure it’s used to ensure it provides value to the organization” Maxwell said.
Picking an electronic health record (EHR) certified under Meaningful Use is just the start, he said, explaining that a certified EHR ensures the system has certain capabilities, functions and security but it’s not a full safeguard against data breaches and other cyberattacks.
So while certified EHRs have by definition certain security capabilities, Maxwell noted that physicians must ensure they’re using those capabilities fully and that they’re configured appropriately for their work processes.
As such, Maxwell and Weinman said physicians need security assessments (whether done by clinical staff, technology support personnel or outside consultants hired specifically for the task) that are thorough and consider much more than whether their EHRs are certified.
“There’s no security technology that’s going to be a silver bullet, so an organization should evaluate its environment,” said Lucia Savage, Esq., chief privacy officer with ONC.