Around the world, sirens are sounding the rush to electronic health records. In the U.S. alone, the government is pumping nearly $20 billion into helping doctors and hospitals transition to digital medical files. Globally, the goal of this move away from paper-based systems is to make healthcare more efficient and accessible - and less costly. Yet, IT executives and experts alike warn that for this effort to be a success, enterprise security and compliance have to be addressed first.
Healthcare organizations should be able to guarantee end-to-end visibility of the enterprise and have network-access controls in place to ensure data safety and integrity. Here are five tips for laying the groundwork for an electronic health records implementation:
Know compliance obligations and risk tolerance levels. Most healthcare organizations fall under one or multiple government or private patient-privacy mandates. They can range from loose guidelines to strict rules that have financial penalties.
Understand how data is to be protected under these restrictions and account for that in any security strategy. Some mandates, for example, require all data at rest to be encrypted. Others demand audit details about who has had access to certain information.
Also critical is understanding risk-tolerance levels. What would happen if there was a data breach? According to some country and state rulings, an organization would have to notify its user base and even suffer financial repercussions.
Understand user access roles. One of the trickiest parts of electronic health records is determining who gets access to what. A doctor might need to know the medicine that a patient is on, but not how she paid for her last visit. The financial team might need to know the balance on an account, but not the patient's latest test results. Healthcare organizations have the added challenge of having so many external partners, such as medical laboratories, also needing access rights.
The best way to address this is to use centralized tools that automatically manage user access based on roles. Policies can be set to map to specific users across the network topology. That way, if a breach occurs, the organization is not guessing based on MAC and IP addresses.
Gain control of endpoints. A daunting task in health care is tracking the plethora of "unmanned" devices on the network. IT teams should account for the security of everything - from electronic heart monitors to infusion pumps. As these devices start to feed information into digital records, protecting them becomes even more critical.
To do so, IT teams should use endpoint-management tools to automatically locate them on the network, check their configuration, virus and patch status, and quarantine them if they pose a threat. Centralized policies should determine their level of access to patient records.
Ensure monitoring, audits and reports can be carried out across the entire enterprise. As more and more money is funneled into electronic health records, there will be increased scrutiny on the handling of that data, with the potential for harsher privacy mandates and other oversight. Therefore, healthcare organizations should ensure they can monitor, track, audit and generate reports on all activity surrounding electronic health records.
Use tools that help to aggregate and analyze information in real time. With the switch to electronic health records, there will be more work for IT teams overall. Healthcare organizations can temper this by using tools that automate routine tasks, and aggregate and analyze information in a single console. Rather than examining syslogs from each security device, IT teams can use unified threat-management software to gather data from firewalls, proxy servers and switches into a single database. Using preset thresholds, the IT team is then proactively alerted if events warrant their attention.
Unified threat-management tools can be instrumental to the success of electronic health-record rollouts. They can reconcile from a single console what the firewall is seeing with what the intrusion-prevention system is seeing, and also what is happening on the organizations virtual private network.
TerryAnn Fitzgerald is senior manager, solutions marketing, at 3Com, Marlborough, Mass.
Click here for more information on 3Com solutions.