You’ve heard it a million times. “Keep It Simple, Stupid!” No one’s going to convince a seasoned IT professional that securing electronic medical records is an easy task. But there are a few tips you can use to keep your focus in the right place as you create or refine a medical IT security system.
Start with an Audit
In order to protect patient information, you need to know where it’s going to be at every step once the facility has it. Start at the bottom (collecting the data) and work your way up (storing and backing up the data). You need to know everything about the computers, software and people involved in the process (who does what, when, where, why and how). Storyboard it if you have to.
Perform a new audit at least yearly to determine whether policies are working and whether changes should be made. If there are any policies or procedures that need refinement, do so as soon as possible. If any employees have left, ensure that their ability to access records was fully revoked. If there are any employees not using or incorrectly using the system, address the issue as instructed by management.
Once you understand the flow of the information, determine what standards need to be in place to protect it. Where necessary, issue passwords, swipe cards or key fobs to the individuals who need to access information (put a system in place to change the passwords frequently).
Access should only be granted on an as-needed basis. The billing department probably doesn’t need full access to the patient’s diagnosis, so tier your access levels accordingly. Keep in mind, a nurse who gets called to a patient who’s in trouble may forget to log off, so don’t forget the automatic log-off feature.
You should also have a mechanism in place to track access activity. At a later date, you (or a court of law) may need to know who was logged into that patient’s file at a particular time on a specific device. You should occasionally take a look at these logs to check for inconsistencies or suspicious behavior. Was Dr. Mitchell logged in last week despite the fact that you just got an email with his pictures from Maui?
Limit access to other software or systems on computers that can access secure records. Put prevention mechanisms in place to keep employees from accessing email or internet sites that could allow the copy or storage of information. Whenever possible, disable USB ports and other slots that could allow data storage devices to be used.
It goes without saying, but encrypt, encrypt, encrypt!
Remember that your disaster recovery plan requires precautions like backed up data and that this is also in need of security protections. Check your backups frequently to ensure you’re not backing up to a device that isn’t working properly. Put a system into place that prevents backup devices from leaving the facility in the wrong hands.
Don’t Forget the Human Factor
Computers are just tools that people use. Train the relevant staff members in the importance of following the protocols you’ve put in place. Use statistics or demonstrations to show them why passwords should be memorized and never shared with anyone else (even another co-worker). They need to know that it isn’t just an issue of following your rules, but a legal and ethical one. Sometimes, it’s helpful in gaining buy-in to new procedures to ask staff members to sign a written list of the procedures as part of their commitment to keeping patient information safe and private.
Finally, do what you can to make it easy, especially if it’s a transition. While passwords should be highly secure, don’t make them so impossible people have to write it down just to get access to files (which defeats the purpose of issuing them in the first place). They should look like passwords, not software keys.
Putting It All Together
Especially for larger organizations, securing electronic medical records is no easy task. But if you try to keep in mind that the real goal is providing the protection you’d want as a patient, you’ll always have a compass to guide you.