Can Providers Cope With EMR Security Challenges?

Boy, back in the good old days, protecting patient data was comparatively easy. All you had to do was make sure that nobody got their hands on a patient’s paper chart who shouldn’t be looking at it.

After all, simple stuff like locking file rooms and making sure charts never get left in a public place are pretty easy to understand. Sure, paper records get stolen or rifled through now and then — no system is perfect — but putting processes in place to prevent unauthorized chart access isn’t that complicated.

On the other hand, introducing electronic medical records  — plus e-prescribing, digital sharing of lab results and more — is a completely different kettle of fish.

For one thing, providers must control access to medical information stored in their EMR in a far more sophisticated way than they had with paper charts.  For example, while role-based access to data may not sound too threatening to your average IT boss, it’s not exactly intuitive if you’re not a geek. Figuring out just who should get access to what gets a lot more complicated than when you used to just have to pull and route a chart.

Another issue: few clinicians know much about data security, and it’s not likely that they’re going to suddenly get wildly excited about encryption or VPNs.  Sure, you can warn them that it comes down to whether some random stranger (or even a staff member) will steal their patients’ Social Security numbers or broadcast medical secrets. But it’s just about impossible to explain security issues without wandering into scary jargon that will alienate the heck out of many doctors.

Of course, healthcare organizations can make sure their clinicians are trained to understand the importance of  securing their EMR. And they can even explain why specific types of security measures will limit their HIPAA exposure, the best pitch you can make to non-techies.

Still, the bottom line is that moving from paper to EMRs isn’t just a change-management exercise. It forces clinicians to think about how they use, distribute and share data on a profound level. I hope it does, anyway…cause if providers aren’t ready to think about these issues, things aren’t going to be pretty.

About the author

Anne Zieger

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

13 Comments

  • All said is true.
    The basics still matter – loose lips sink ships. Plus, it is still quite easy to accidentally fax PHI to the wrong fax number.

    Part of the pain. of going electronic is the added scrutiny. Add to that how much easier it is now to accidentally send PHI to either the wrong person or a non-secure method.

    The best thing a office can do (and it is a HIPAA requirement) is to have a solid set of company computer policies. This give all staff members the guidance needed to operate daily.

    Next, the proper training needs to occur. HIPAA Awareness training is yet another (wait for it) HIPAA requirement. Again, the training done properly (not just pencil "whipped") will inform & remind staff of the proper ways to deal with PHI is this new day.

    It is not as complex as it sounds, but there is a lot of work that must be put in.

  • Maybe I am biased in this aspect. But for an office of any size you likely need an IT manager to handle these issues. You have a claims manager; right? When skills are called for, you need skilled people. If the rest of the change management is done correctly then you likely aren’t going to need people to pull and route paper files. I haven’t done the actual research on it but my guess is that it can be a break-even choice.

    Thoughts?

    –Tim

  • Tim,
    I think it is true that most practices need an IT resource to manage the systems. However, IT people are often the worst offenders as they take short cuts to make their life easier. Security should be managed separately from IT – even though many of the controls will need to be operated by IT.

    John,
    You are spot on with the need for policies. All decisions about security should be driven by a coherent set of policies, standards and procedures. Training and ongoing reinforcement is critical to establishing security.

    I think the biggest challenge to achieving security in a doctor’s office is establishing it as a priority in the doctor’s mind. Even simple (but critical) recommendations such as selecting reasonable passwords are met with resistance.

    I completely understand their point but it doesn’t bode well for real protection of PHI.

  • It’s clear the digital asset risk is not completely understood. When the state and banks with the best IT Security money can buy have the word “compromise” associated with their name, the thought that PHI can be protected is laughable…looks as though this “lose-lose” EMR experiment is turning out to be very expensive indeed!
    “Patient Care Suffers When Data Security is a Budgetary Concern”
    http://preview.tinyurl.com/6ymqjaa

  • True, it may never be understood completely. But But a big part of security decision making is risk/reward based. Frankly my PHI is of no value to anyone but me. By keeping the demographic model completely separate from the clinical model it makes it easier to protect the more valuable financial information (address, SSN,etc.). It also aides in de-identification (a completely different subject).

    But the comparison of banking data with PHI is just wrong on soooo many levels.

  • Tim, my point is when, not if entrepreneurs (hackers) want part or all of PHI they will easily have it. Insurance numbers will soon be worth more than account #’s due in big part to the baby boomers begining to arrive and they having time and money to fix, tuck, and spend…

  • A few things:
    @Cole Libby Yes, IT folks are usually big offenders – they lack the proper training.
    @Tim Cook — whether you think you PHI has no value to others or not isn’t the point: Yes ID theft is part of it, but privacy is another part of it.

    Folks, this stuff is not that challenging. Accept you have to follow the rules and realize complaining about them won’t make them go away.

  • John’s point is well taken about rules and training. An EMR may have all the components for putting security into practice. However, managing requires setting up a system to control user accounts and rules. For example, this gives the user the ability to plan for new employees coming on board or leaving.

    Second, a well developed workflow system can insure that information is only sent to the right recipients.

    As always, the best insurance is building a security and HIPAA conscious environment.

  • I’m loving the conversation. Some really interesting points.

    I have to admit that as I read the post I was struck by the difference in security with an EHR vs. a paper chart. Certainly there were some best practices with a paper chart that people tried to implement and follow. However, EHR security tracking can be so granular and detailed that it takes security of the paper chart to a whole other level. Or maybe I should say it can take security to a whole other level. The flip side is that it can expose your lack of security as well.

    Reminds me of my favorite comment about the need to fix your processes before implementing an EHR. Otherwise, the EHR will exacerbate any poor processes and make them worse. The same could easily be applied to poor security controls.

Click here to post a comment
   

Categories