Key Message: Electronic health records bring many benefits along with security and privacy challenges.
Converting to the use of electronic health records can bring many advantages in the quality of health care. But it also brings particular security and privacy risks. In this podcast, Deborah Lafky, with the U.S. Department of Health and Human Services (HHS), Office of the National Coordinator for Health Information Technology (ONC), and Matt Butkovic, team lead for work CERT is doing with ONC, describe some of the opportunities and challenges that healthcare providers face as they move to electronic health records.
The HITECH Act
The Health Information Technology for Economic and Clinical Health (HITECH ) Act was passed by Congress as part of the stimulus bill at the beginning of the Obama Administration.
The HITECH Act
Key Benefits for Providers and Patients
These include the following
For example, if a woman who is found unconscious is taken to an emergency room and her primary care physicianís office is closed or unknown, no one will be able to access her paper records, which would have revealed that she is a diabetic.
With access to EHRs, emergency room doctors could
HHS regulates the privacy and security of medical records. The U.S. Health Insurance Portability and Accountability Act (HIPAA ) governs privacy and security for health records (paper and electronic).
HIPAA regulations have specific instructions for physicians, clinics, hospitals, and others who handle medical records about
ONC identifies and develops tools that will help providers keep EHRs secure. This includes ONCís work with CERT, to help providers reliably meet their EHR privacy and security requirements by identifying the presence or absence of key EHR management pratices.Key Security Requirements
EHRs are critical assets in the form of patient information, at the personal level for patients, for healthcare organizations, and at the national level. The goal is to ensure justified confidence in the confidentiality, integrity, and availability of medical records.
For organizations that are moving from paper records to electronic records:
Healthcare organizations must have a mechanism to identify and respond to security incidents involving EHRs.
Unlawful removal of paper records is limited by their bulk and visibility. Megabytes of electronic information, on the other hand, can be easily and secretly removed.
One of the key practices in securing EHRs is being able to identify if data has been alterated or exfiltrated (unauthorized removal of records), via
Guidance for identifying and handling incidents is available on CERTís incident management website and in the CERT Resilience Management Model.
Office of the National Coordinator for Health Information Technology
Most of the primary care in the U.S. is delivered by medical practices of one to five doctors. They donít have IT staffs; they donít know how to set up a computer network. ONC has used HITECH Act funding to help them.Beacon Communities
ONC collects input and sponsors projects to foster best practices in other areas where the beacon communities are not active. ONC creates, documents, and disseminates security and privacy best practices and gets people trained on how to use them.
One project that CERT is doing for ONC is to implement an online training program in incident response for healthcare providers.
Healthcare organizations of all sizes need to understand how EHRs fit in their overall risk management process. Understanding the connection between critical healthcare service assets, risk appetite, and the safeguards around those assets is key.
CERT is working with ONC to equip providers to evaluate their current posture and make improvements based on that analysis.Getting Started: Protect Patient Records
If a healthcare provider using EHRs allows portable storage, such as USB drives, they should:
Think about your risk profile in very concrete terms, such as comparing the protection of physical medical records with their electronic equivalent. For example, a hospital had an unencrypted hard drive stolen out of an employeeís car with 88,000 medical records on it. If you took all of those medical records in paper form and stacked them up, they would be taller than the tallest building in the world.
Examples such as this make is easier to understand what actions you need to take to mitigate risks to EHRs.Resources
National Institute for Standards and Technology (NIST) Health Information Technology
CERT Resilience Management
Computer Security Incident Response Team (CSIRT) Development
CERT Podcast: Electronic Health Records: Challenges for Patient Privacy and Security (September 2009)