As more healthcare organizations implement wide-scale electronic health record (EHR) systems, many are relying on third-party vendors to accomplish various parts of the project. But the data privacy landscape in healthcare presents challenges that are unique to the industry, and providers must be diligent in vetting and managing vendors to ensure that patient data isn’t compromised.
The needs of different healthcare providers mean that each will have its own subset of concerns. Hospitals will likely have different areas of concern than will a pharmacy, a small physician practice, or a skilled nursing facility. Some organizations will have increased interaction with patient families while others will be more concerned with providing EHR access to a highly mobile workforce and to visiting physicians who are on a different data security platform from that established for employees. But patient data privacy standards affect every healthcare provider, and under the omnibus rule recently updated by HHS, extend in a very meaningful way to Business Associates (BA). The "conduit exception" still applies but is limited to an organization that merely transmits protected health information (PHI) as opposed to a company that maintains and/or stores it. The rule extends to subcontractors with access to protected patient information, and these subcontractors are now also classified as Business Associates under the rule. Covered entities are required to have in place contracts, or Business Associate Agreements (BAAs) that ensure that the Business Associates will appropriately safeguard protected health information and extend such protections to and through subcontractors as far as the PHI travels. Ensuring all service providers that maintain, store or have access to patient data meet data security and privacy standards can help make EHR implementations safer.
By Deena Coffman
As more healthcare organizations implement wide-scale electronic health record (EHR) systems, many are relying on third-party vendors to accomplish various parts of the project. But the data privacy landscape in healthcare presents challenges that are unique to the industry, and providers must be diligent in vetting and managing vendors to ensure that patient data isn’t compromised.
The needs of different healthcare providers mean that each will have its own subset of concerns. Hospitals will likely have different areas of concern than will a pharmacy, a small physician practice, or a skilled nursing facility. Some organizations will have increased interaction with patient families while others will be more concerned with providing EHR access to a highly mobile workforce and to visiting physicians who are on a different data security platform from that established for employees. But patient data privacy standards affect every healthcare provider, and under the omnibus rule recently updated by HHS, extend in a very meaningful way to Business Associates (BA). The "conduit exception" still applies but is limited to an organization that merely transmits protected health information (PHI) as opposed to a company that maintains and/or stores it. The rule extends to subcontractors with access to protected patient information, and these subcontractors are now also classified as Business Associates under the rule. Covered entities are required to have in place contracts, or Business Associate Agreements (BAAs) that ensure that the Business Associates will appropriately safeguard protected health information and extend such protections to and through subcontractors as far as the PHI travels. Ensuring all service providers that maintain, store or have access to patient data meet data security and privacy standards can help make EHR implementations safer.
Managing access to the EHR system is a critical component to implementing a secure and effective solution. Healthcare organizations should carefully verify the information security and data privacy programs of any service providers that are involved in designing, developing, accessing or maintaining systems that contain patient data, which include EHR systems. Potential providers should provide assurances on such aspects as how authentication is performed, how access is tracked and if automatic notifications are available to flag suspicious behavior or potential breaches. Healthcare providers should understand the system’s capabilities to filter access on a granular level. Just because a staff member is authorized to view a patient’s record one day does not mean she or he should have the same capabilities the following week. Confirm that the system disallows otherwise common functionalities such as screen capture, printing, or e-mailing sensitive information to unauthorized recipients.
Deeper questions regarding a potential EHR system must also be asked. In the final omnibus rule, patients were given additional control to limit sharing of their records on a per-visit basis when paying in cash. Many service providers are still implementing changes to their systems to accommodate this new development, but no standard method is in place to provide consistency or compatibility. In order to comply, healthcare providers must understand how access will be filtered in any system with this information that may be shared externally. Will controls be administrative, technical or a combination thereof? Is the system subject to human error which is common with the adoption of new systems and processes?
Another facet of EHR implementation risk is the increasing array of web applications and other tools that healthcare organizations are adopting. Vendors that will be involved in the creation of those web applications should be queried on their adherence to OWASP (Open Web Application Security Project) standards for secure development and design. They should also demonstrate experience in authentication technologies, in properly testing the applications prior to and following a roll-out, in handling errors that may occur at any point in the application’s lifecycle, and in designing applications that can withstand direct security challenges. Rigorous testing becomes even more crucial when a web application is used to manage or access healthcare records, and verifying previous experience and existing programs and controls can provide insight into areas that are beyond a service provider’s capabilities.
Patient portals are also gaining in prominence as providers seek to grant patients online access to more of their personal health information. But the process of creating a secure patient portal involves additional layers of complexity beyond many other types of web applications. No longer will developers need to concern themselves primarily with internal users who have likely received extensive training, have signed confidentiality agreements, are under management oversight, and who can typically be individually tracked and monitored for usage patterns showing suspicious behavior. Instead, the design and security features of a patient portal must take into account a much wider variety of users who will be accessing the system, data breach exposure via a service provider, and external threats from hackers. Any covered entity as well as business associate involved in the development, usage or maintenance of a system that will contain patient data, especially one that will be exposed to the Internet, must understand the increased need for security and monitoring.
Consideration must also be given to where EHR system will store data. If a cloud service will be used, an organization must remember that it is still not absolved of responsibilities for data security when entrusting patient information to a service provider. Instead, more effort and aforethought is required for healthcare providers to successfully work in concert with cloud providers to secure patient data. Clarity in understanding and accuracy in coordinating responsibilities for data security are essential. Assuming wrongly that a cloud service is providing an aspect of security when it is not is a recipe for a data breach. Understand the level of protection that is provided by the business associate is critical; focus specifically on safeguards in place to ensure patient information is properly protected. Experienced companies will have a mature security program and will be comfortable providing assurances to that effect. Even with a mature information security program, new development or customized processes may be needed. Under these circumstances, it is especially important that both parties understand where responsibilities lie and to coordinate closely on execution, testing and auditing.
Many organizations prefer to house their data internally for greater level of control. But, even healthcare facilities that choose to do so often employ external IT consultants or other technology partners that access systems and data. An individual in this capacity can be a threat to data security just as a cyber criminal thousands of miles away can be. Ensuring external IT consultants are vetted for security and that the internal security program, which includes an incident response plan, is current, thorough, tested, observed and audited is critically important.
If your company plans to allow mobile devices to connect to the EHR system, then a system designed to keep data secure across multiple endpoints is essential. Thin client platforms allow for deep access into systems and data without storing sensitive information on the devices themselves. This technology has been in use in other sectors for many years. Mobile device management is available to provide strict control over the data accessed by and stored on mobile devices.
By vetting EHR vendors along with other service providers that access patient data and share responsibility for complying with HIPAA and by approaching your EHR implementation in a thoughtful way, your organization will be in a better position to protect patient data and reduce your exposure to a costly and damaging data breach.
About the Author
Deena Coffman is chief operation officer for IDT911 Consulting and Information Security Officer for IDentity Theft 911.