|Managing EMRs beyond regulations
By Kurt Johnson
|While HITECH and HIPAA have been instrumental in promoting the adoption of EMRs, they have also enforced strong security and privacy policies around the protection of sensitive patient data. Following these five guidelines will help your organization implement a complete access assurance strategy.
Protecting confidential patient data has never been an easy task for healthcare organizations. Staff turnover can be frequent, employees’ roles are constantly changing and there is often a high level of contract work being performed – all factors that make it challenging for IT professionals to appropriately manage user access to patient records and other sensitive company data. In addition, the rapid adoption of electronic medical records (EMRs) industry-wide has added even more complexity to the IT puzzle, as patient data becomes more accessible over many different devices. While protecting patient privacy has always been of critical importance, there is now an additional layer of focus – compliance.
Healthcare organizations face a number of industry regulations, but perhaps the most notable are the Health Information Technology for Economic and Clinical Health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA). While HITECH and HIPAA have been instrumental in the promotion of adoption of EMRs by outlining steps to adopt and use electronic patient records for healthcare organizations, they have also enforced strong security and privacy policies around the protection of sensitive patient data. Healthcare organizations that fail to demonstrate compliance with these regulations are not only at risk from data breaches, but they are also susceptible to penalties such as fines, withdrawal of government funding, criminal charges or even incarceration.
But while it’s in the best interest of healthcare organizations that are implementing and utilizing EMR systems to comply with HITECH and HIPAA, simply demonstrating compliance does not mean they are secure. Put another way, being compliant does not ensure patient privacy. Beyond these industry regulations, it is incumbent upon healthcare organizations to implement effective risk management and security best practices in order to control access to confidential patient information and other corporate data as a means of good customer service. Patients want to be assured that their personal information will not be privy to unauthorized users and that their hospital’s or doctors’ offices are taking all of the precautions necessary to prevent a data breach.
Implementing an effective access assurance strategy
The first step toward preventing data breaches and demonstrating compliance with industry regulations such as HITECH and HIPAA is assessing the security risks that exist within your organization. Where does sensitive information lie within EMR systems or on the corporate network? Who has access to this information? Is this access appropriate? How and why was this access granted? What are you doing to ensure policy is followed on an ongoing basis?
Once you have a clear understanding of the security risks that threaten your organization, you must define, assess, verify and enforce proper user access policies in order to minimize high-risk areas, protect sensitive patient data from unauthorized user access and prevent the misuse of patient records by authorized users. Here are five tips to help you effectively manage user access to EMR systems and other corporate networks:
- Define user access policies in accordance with corporate and industry regulations to avoid compliance violations while allowing caregivers to have the information they need to ensure patient safety and proper care.
- Create and manage roles so physicians, nurses and other members of the medical staff have the necessary level of access required for them to perform their jobs successfully, but only the access necessary. Granting employees access to information that is not essential to their job functions puts confidential patient and corporate data at an increased risk of being exposed – whether intentionally or unintentionally.
- Review user access policies on an ongoing basis to determine who has access to what sensitive data; verify that this access is appropriate and in compliance with both corporate and industry regulations; and remediate access when it is not.
- Ensure access is shut off as soon as an employee is terminated or transferred to a different position in order to prevent access creep, “zombie” accounts (active accounts that exist for employees no longer at the organization) and compliance gaps. Leaving time between when an employee leaves the organization or a particular role and when access is shut off gives the employee a chance to access and utilize confidential data in inappropriate ways. This is extremely important in the healthcare industry where staff turnover can be frequent and responsibilities are constantly changing.
- Finally, it is imperative that healthcare organizations constantly monitor user activity to prevent the misuse of patient records by authorized users. Are employees accessing EMR systems during off-shift hours? Are they accessing patient records of individuals who are not their patients? Access may be appropriate, but if employees aren’t using their access in the proper ways, confidential patient data is at risk. IT professionals can combine identity and access management (IAM) and security information and event management (SIEM) solutions to identify users who may be engaged in inappropriate behavior that represents increased risk to the security of the organization.
By following these guidelines, healthcare organizations will be able to implement a complete access assurance strategy that allows them to ensure that only the right employees have the right access to the right resources and are doing the right things. Otherwise, they are more susceptible to compliance violations and data breaches – both of which can be detrimental to a company’s bottom line as well as its reputation.
About the author
Kurt Johnson is vice president of strategy and corporate development for Courion Corporation, an identity and access governance provider. For more information on Courion: www.courion.com.