Five steps to keep EMRs private
Simple ways exist for implementing technical safeguards to mitigate security risks, while becoming compliant and maintaining current levels of service.
By Saurabh Bhatnagar
overnment-mandated migration to elec- tronic medical records (EMR) brings with it inherent risks of healthcare information technology. Patient data in digital format is constantly at risk from intentional data manipulation or theft, accidental record access, and the ever-present risk of exposure to malware.
Other issues include the high cost of initial imple- mentation, the logistical challenge that comes with necessary work-fl ow restructuring and the pressure to maintain current levels of service without interruption. Often, these issues pose signifi cant challenges to business continuity and take priority over security – which can threaten compliance with HIPAA.
Simple ways exist for implementing technical safe- guards to mitigate security risks, while becoming compli- ant and maintaining current levels of service. Here are fi ve practices to follow:
Saurabh Bhatnagar is vice president of product management at BeyondTrust, Agoura Hills, Calif. For more information on BeyondTrust solutions: www.rsleads.com/004ht-207
Delegate access: HIPAA
prohibits users being granted unrestricted access to any computer or unrestricted access to an entire IT sys- tem. This prevents users from altering system re- cords, such as event logs,
and circumventing the requirements for tracking users who access information, all non-compliant activities. Removing administrator rights and root passwords from an organization’s user population will control user access and eliminate the ability to execute these threats. HIPPA requires healthcare IT organizations to imple- ment a set of controls that restrict the actions of users to just the tasks defi ned by their job role. By removing administrator rights and root passwords, users will no longer be able to access electronic-protected health information (ePHI) they are not authorized to view. Also, malware will be prevented from leveraging user administrator rights to exploit system vulnerabilities and gain access to records.
32 April 2010
Support productivity: Removing administrator rights and root passwords comes at a high cost to productivity, since the typical operating system has an all-or-nothing approach. Either you have administrator rights and ac- cess to everything, or you do not; you need permission to run the simplest of tasks, resulting in an escalation in help-desk calls.
When people perceive security as a performance problem rather than protection control, misuse of IT privileges will spike and ePHI data will be subjected to security risks. IT managers, however, can enable appli- cations to run for users without administrator rights or passwords by implementing external solutions. Safeguard data integrity: HIPAA requires technical controls be implemented to protect ePHI from being altered or EMRs being destroyed. These procedures mean harm caused by a user misusing their IT privileges, such as shutting down a fi rewall, is prevented. External technologies are available to enable a productive security confi guration without disrupting the operating system that could violate software and system warranties. Support accountability: HIPAA requires technical controls that assign unique IDs to verify user privileges and track user access. The wildcard is shared accounts. Implementing solutions that eliminate the need for shared accounts brings a layer of accountability, remov- ing the cloak of anonymity from the user, and reducing the likelihood of a user doing damage to ePHI. The most secure and compliant IT environment is one that limits user activities to what is necessary to do their job and requires accountable authentication when elevating certain processes to access critical patient data. Secure activity logs: A secure and standardized IT system will protect the technical controls that record activity in ePHI data systems. HIPAA requires an orga- nization be able to create and maintain retrievable and exact copies of ePHI, and restore any lost data. Protecting procedures that monitor logins and report discrepancies will provide a compliant, auditable trail, simplifying the process and reducing overall audit costs.
HEALTH MANAGEMENT TECHNOLOGY