How you can protect patient confidentiality now
How you can protect patient confidentiality now
Passwords, identifiers, firewalls get you started
Rep. Nydia M. Velazquez (D-NY) has filed a $10 million lawsuit against New York City-based St. Clare’s Hospital for allegedly leaking word of her suicide attempt to a reporter. This is the kind of horror story the industry will see more of if it doesn’t initiate proactive efforts immediately to secure access to patient records, says John Glaser, PhD, vice president and chief information officer for HealthCare Partners, a group of 4,000 physicians and three hospitals in the Boston area. Glaser is a member of a panel commissioned to study and report on health care information security for the National Research Council (NRC), under the auspices of the Institute of Medicine.
If you think you can’t do it alone that you can’t solve all the security problems threatening the field of health care information management you’re right.
Industry standards, regulations, and pressure from consumers (both those who buy the systems and the patients who are served by them) are needed to bolster the privacy and security of electronic patient records, says the NRC report.1 But there are things you can do in your practice now to protect information as much as possible.
Implementing the suggestions outlined below shouldn’t break your bank account, Glaser adds. Although the council did not study cost estimates for instituting tighter security measures, their research found that most vendors who install your system will add tighter security features at little or no extra cost but you have to ask for it.
Solutions are available now to make electronic records even more secure than paper records, says Paul D. Clayton, chair of the NRC panel that prepared the report and chair of the department of medical informatics and director of clinical information services at Columbia Presbyterian Medical Center in New York City. For example, electronic audit trails can track every access to a medical record, unlike a paper trail record system. Also, tough penalties for violators can help deter hackers, says Clayton.
The committee offers a checklist of instructions for your practice to follow immediately to ensure security. The list is divided into two main parts technical practices and policies, and organizational practices.
• Technical practices and policies.
Individual "log-in" identifiers. To establish individual accountability, provide each individual in an organization a unique identifier, or log-on ID, to get access into the information system. Strict procedures should be established for issuing and revoking these identifiers.
Automatic log-off functions. Wherever appropriate, program computer workstations to automatically log off when left idle for a specified period of time. You should be able to adjust the time period easily.
Access controls. Implement procedures that ensure users can access and retrieve only information that they have a legitimate need to know. Methods of doing this can vary, and they should be worked out with your system vendor.
Audit trails. Maintain easily retrievable and usable form audit trails that log all accesses to clinical information. The logs should include the date and time of access, the information or record accessed, and the user ID of the person who accessed the information.
Organizations that provide health care to their employees should enable employees to audit access to their own health records. Organizations should establish procedures for reviewing audit logs to detect inappropriate access.
Physical security and disaster recovery. It may be easier than you think for an outsider to get into your office unnoticed. If your practice doesn’t employ a risk manager, you may want to contract with a risk manager or consultant who has special training in this kind of process. Also, if you don’t have a disaster plan, you need one for both a natural emergency or disaster and for a computer failure. Be sure you have back-up data stored in a safe place.
Protection of remote access points. If your organization has a centralized Internet connection, install a "firewall" or electronic barrier that provides strong, centralized security and allows outside access only to those systems critical to outside users. Vendors are equipped to install these firewalls, but you generally have to ask for them specifically.
Also, organizations should require a secure authentication or log-in method for remote and mobile users, such as those using home computers. If your organization opts not to take these precautions, you should allow external remote access only over dedicated lines.
Protection of external electronic communications. Encrypt all patient-identifiable information before transmitting it over public networks, such as the Internet. Any group that doesn’t meet this requirement should either refrain from transmitting information electronically outside the organization, or they should do so only over secure, dedicated lines.
Insist on virus-checking software. Exercise and enforce discipline over user software. At a minimum, install virus-checking programs on all servers and limit the ability of users to download or install their own software. These technical practices should be supplemented with organizational procedures and educational campaigns to provide further protection against malicious programs and to raise users’ awareness of the problem.
Routine security assessments. Formally assess the security and vulnerabilities of information systems on a routine basis. For example, run existing "hacker scripts" and password "crackers" against systems on a monthly basis.
• Organizational practices.
Clear, explicit security policies. If you don’t have them, develop and publish in-house security and confidentiality policies that express your dedication to protecting health care information. If you do have them, it may be wise to review them and get them up-to-date with current public sentiment regarding patient record confidentiality.
Security and confidentiality committees. Establish formal points of responsibility standing committees for large organizations, small or single-person committees for small organizations. Their task should be to develop and revise policies for protecting patient privacy and for ensuring the security of information systems.
Information security officers. Identify an information security officer who is authorized to implement and monitor compliance with security policies and practices. The security officer should maintain contact with relevant national information security trends, policies, and technical innovations.
Education and training programs. Establish programs to ensure that all users of information systems receive some minimum level of training in relevant security practices and knowledge regarding existing confidentiality policies before being granted access to any information systems.
Sanctions. Develop a clear set of sanctions for violations of confidentiality and security policies that are applied uniformly and consistently to all violators, regardless of job title.
Improved patient authorization forms. Revisit your patient information authorization forms to ensure they clearly describe the flow of health data. Make sure these forms limit the time period for which authorizations are valid. The forms should list the types of organizations to which identifiable or unidentifiable information is commonly released.
Patient access to audit logs. Make sure patients know they have the right to request audits of all accesses to their electronic medical records and to review these logs.
Reference
1. For the Record: Protecting Electronic Health Information. Washington, DC: National Research Council; 1997.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.