Information security is important for EHR systems and medical practices. Security breaches should be a concern of staff and providers, as well as the EHR vendor. Unfortunately, criminals seek to use patient data and insurance information to file fake claims with insurance or potentially gather information to use to file fake taxes. EHR systems should have data that is secured, backed-up, redundant, and encrypted. Some of the final certification criteria relate to security standards the certified EHR must display. Vendors on the final certification criteria (2015 criteria) should be meeting the ONC 2015 criteria. Beyond the security standards, there are actions on security required by the medical practices that utilize an EHR system. While all EHR systems require the practice to have their own internal security policies, the amount of work for security monitoring depends on the EHR system the pediatric practice adopts. When deciding on an EHR system, a practice should decide what level of security monitoring they want to do versus the vendor. Let’s look at the security required for a practice for a client-server EHR and cloud-based EHR system.
Security Items to consider when adopting a Client-Server E.H.R. System that is hosted remotely (note the EHR company might call this a ‘cloud’ product):
Ask the EHR vendor if the practice needs to manage the firewall and security as well as monitoring of their hosted EHR systems.
If the EHR vendor is doing the monitoring, the monitoring should be completed by a qualified person (e.g. Network engineer). The person should be monitoring the systems 24/7 if there is internet access. If the practice is doing this work, identify the cost for the monitoring and management as part of the evaluation process.
Confirm that the EHR company is managing the data backup and redundancy.
The practice data should be secured and backed-up routinely in case of breakage of equipment, problem with the systems or loss/damage to the facility.
Identify and confirm the role of the practice related to managing different aspects of disaster recovery in the case of a disaster.
This means that if there is some type of event that causes loss of data or damage to the system that the practice needs to be able to restore the data and systems. This usually requires a qualified team of network engineers and a planned approach to minimize downtime.
Security Items to consider when adopting a cloud E.H.R. System:
Practice needs to adopt a password policy for practice and check that this is being followed.
Passwords and usernames should not be in a location that someone can see this information. Unfortunately, many security breaches occur due to bad password management that providers an easy way for a person to make a security breach. Unfortunately, some users accidentally provide their username and password to an ‘unauthorized user’ because the person is tricked into providing this information.
Confirm the E.H.R. vendor manages the firewall and security as well as monitoring of their systems 24 hours a day, 7 days per week.
Another aspect to consider when adopting an E.H.R. system is how the system stores data. Some systems store the patient data and files locally on a desktop or laptop computer. While this is ‘old’ technology there are still many practices with this type of E.H.R. system. The security risk is if a staff member loses or has a laptop stolen with all the practice Personal Health Information (PHI) stored on the local computer. Using a true cloud-based EHR system that does not store the PHI for charts locally on laptops eliminates this risk factor. An important area to evaluate related to data security is physical security of the pediatric practice. The practice should evaluate how to minimize the amount of data in the open in non-secure cabinets. Evaluate the risk of the building of the practice and the practice. Is the commercial space locked after hours and the practice locked with a separate key? Who has access to the location and how challenging is it for unauthorized personnel to access the pediatric practice? If an unauthorized person accessed the practice, what data could they obtain? Are there usernames or passwords they could find? If so, eliminate this risk by locking up data and sensitive information. Consider ways to eliminate paper PHI by scanning into the chart. Evaluate the amount of data stored locally on PCs in the office by the EHR system and if needed, how to mitigate this risk.