4 Crucial data security measures every EMR must have in place

Cybercrime and data loss have devastating consequences—and while adopting data security best practices is important in any industry, it’s absolutely crucial in health care.

That’s because, in our world, failure to properly control access to a patient’s medical record could mean the difference between life and death.

Given the gravity of the cybersecurity issue—especially within the healthcare community—it’s no surprise that the US Department of Health and Human Services (HHS) recently announced plans to open a Cybersecurity and Communications Integration Center. The Center will help educate healthcare organizations and consumers about health data vulnerability and the risks associated with using mobile technology in this industry. The Centers for Medicare and Medicaid Services (CMS) is also considering developing a similar program.

But, the importance of data security isn’t anything new, so what’s driving this collective push for industry-wide education? Admittedly, this type of knowledge is lacking across our industry, and the renewed push to teach providers how to properly safeguard their patient data seems directly linked to the mass proliferation of cloud-based technologies serving the healthcare space. Mobile apps and wearable devices are already becoming ubiquitous within the healthcare ecosystem—and this is just the beginning. Already, we can:
● monitor motion in patients with neurological and musculoskeletal injuries through high-tech gloves;
● check glucose levels in real-time from a wristwatch; and
● track patient temperature spikes from a patch.

And that’s far from a comprehensive list. Given the tremendous benefits that these—and other—technological advancements offer providers and their patients, it’s easy to forget that such systems are susceptible to cybersecurity threats. But they are. And it’s so, so important to not only recognize that, but also be cautious of it.

Proactive Planning Against Data Breaches
Data flows in and out of healthcare systems in a number of ways, but the main information hubs—electronic medical record (EMR) systems—represent the biggest security concern for most providers and hospitals. Among EMRs, cloud-based systems have become popular because they help providers collaborate and manage the exchange of relevant data more effectively. As you know, being able to access and share vital patient information in a rapidly changing healthcare environment is a tremendous benefit. Yet that same portability increases the risk of potential threats to data integrity.

So, what is the best defense for providers who use cloud-based technology? Selecting reliable technology partners who are taking the necessary steps to reduce risk. That means thoroughly vetting potential vendors to ensure their security parameters are up to snuff. After all, as a provider, it’s ultimately up to you to secure your patient data, and should a breach occur, the consequences—legally, financially, and reputationally—will fall mostly on your shoulders. With that in mind, here are four critical security safeguards that every top-notch cloud-based EMR system absolutely must have in place:

1. HIPAA and HITECH compliance—as a baseline.
HIPAA and HITECH provide a regulatory roadmap for securing protected information—and while they serve as a great baseline standard for data security, you’ll need security controls that are tailored to your specific needs. Also, because security concerns aren’t universal, it’s important that vendors and other technology providers expand their security strategy beyond industry-based methods alone. For example, your EMR should also provide bank-level (SSL) encryption for data exchange to ensure that information can be safely transmitted over the Internet through an encryption algorithm.

2. An audit trail that provides critical clues.
An audit trail is a system feature that tracks user actions to discourage hacking and other fraudulent activity. Your EMR’s audit trail should track all attempts to access patient data by recording the answers to the following questions:
● What data was accessed?
● When was it accessed?
● Who accessed it?
● Where was it accessed from?

3. State-of-the-art data centers.
Any major cloud provider worth its salt will continually invest significant resources and expertise into building and maintaining world-class data security, which means they typically offer better privacy than in-house systems. As such, they will have state-of- the-art data centers that are built to defend against both cyber and physical threats. These types of data centers possess bank-level security, sophisticated encryption methods, and real-time surveillance.

WebPT, for example, stores its data at IO Data Center, a Tier III-Certified facility that provides multiple layers of access control, including a defensible perimeter, video surveillance, biometric screening, and round-the-clock security guards. Ask your vendor for security details about its operations—online and off. And keep in mind that this is basic information that every trustworthy vendor should be willing to provide.

4. Access to real-time expertise.
When it comes to protecting sensitive data, people matter. So, be sure that any potential technology partner has specialized staff trained in online security measures. These experts can help you proactively address a security threat, sparing you from a potentially serious problem.

Dr. Heidi Jannenga is president and co-founder of Phoenix-based software company WebPT, the country's leading rehab therapy platform for enhancing patient care and fueling business growth, with more than 71,000 members and 9,800 clinics as customers.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months