Understanding the Security Rules Governing Electronic Health Records: Administrative Safeguards Part One
The nature of healthcare records has evolved tremendously over the years. From once being captured using pen and paper, to nowadays where the majority of healthcare records are made available to us electronically. While we can’t argue that this transformation to the digital age has made things more convenient, it has also lead to heightened risk as it relates to ensuring the confidentiality, integrity and security of Electronic Health Records (EHR) are properly safeguarded. EHR can range anywhere from patient demographics and clinicians’ notes to a patient’s entire medical history such as laboratory test results, medication lists and medical diagnoses which is why confidentially and privacy are so critical.
According to the ONC (Office of the National Coordinator) EHR adoption by healthcare providers has more than doubled over the last decade. Statistics presented by HealthIT.gov say the percentage of physicians using EHR systems has increased from 18% in 2001 to 57% in 2011. These numbers could be directly attributed to CMS (Centers for Medicare and Medicaid Services) offering financial incentives to eligible practices that have adopted the use of EHR and the promotion of interoperability between systems.
HIPAA has helped in the cause through establishing privacy and security rules to ensure that the medical records of each individual are protected. However, we have seen that lack of effective training of the workforce has led to the exposure of these sensitive records.
The Security Rule defines administrative safeguards as “administrative actions, policies and procedures to manage the selection, development, implementation and maintenance of security measures to protect e-PHI (Electronic protected health information) and to manage the conduct of the covered entity’s workforce in relation to the protection of that information.” All covered entities must comply with these security rules that address areas such as administrative, physical, technical organizational governance and policies and procedures. Health plans (health insurance companies, HMOs) healthcare clearinghouses, and health care providers who submit HIPAA transactions are defined by the HIPPA privacy rules as covered entities. The rules governing the security management process and assigned security responsibilities are explained further below.
Risk Assessment and Risk Management
The risk assessment is the foundation for risk identification, evaluation of existing internal controls and the development of the internal audit plans. There are multiple ways to structure the IT risk assessment. Approaches include starting with an inventory of all IT assets and then looking at the risks in relation. Another way is to identify the e-PHI within your organization, and then consider how it is used, transmitted and stored throughout the organization.
Consider including the following elements in your risk assessment:
- Internal and external threats
- The likelihood and potential damage of these threats
- All information assets (electronic and paper)
- Consider the ‘what ifs’
- Include all business lines
- Include the various risk categories
Ensure executive management is involved in the risk assessment process. It is important to note that a risk assessment is a living document, and that it will frequently change as developments in technology, environmental factors or regulatory standards change. That’s why it’s important to review all risk assessments and risk management processes at least annually.
Next, covered entities should establish and develop policies and procedures to address the appropriate use of e-PHI. You should ensure all of your employees are aware and are well-trained on its proper use. It’s important to apply “sanctions against workforce members who fail to comply with the security policies and procedures.” You should have a process in place for your employees to certify that they understand and will comply with the policies as they are defined. Ensure the acknowledgement includes a statement that addresses the consequences for violation of the security policies and procedures.
Information System Activity Review
Proper procedures and resources need to be in place to review security and access logs – and you should first ensure logging has been enabled for systems that store and transmit ePHI. The logs should help reveal the manipulation or any other unauthorized use of e-PHI. Review of perimeter security logs such as firewall logs, IDS/IPS should be performed daily.
Log activity review should include:
- Unsuccessful logon attempts to perimeter security devices.
- Suspicious outbound connections
- Probes to ports that have no application services running on them. This would not include standard FTP, HTTP or telnet ports.
- The volume of content transferred outside of the company by its employees or through third parties, such as by email attachments or uploads.
Ensure that a process is in place to use the findings from your reviews to help revise your information security program.
Assigned Security Responsibility
Covered entities should identify the security official that will be responsible for ensuring that the organization is in compliance to the security rules. Ensure a written formal job description is in place that documents and describes the official’s responsibilities.
Responsibilities of the security official should include:
- Being involved in the risk assessment process
- Implementing and maintaining policies and procedures
- Implementing strategies to manage risk
- Communicating issues to workforce and senior management
Incidents that take place in an organization are often the result of carelessness and lack of awareness regarding IT security protocol. Organizations should take the necessary steps to minimize privileges users have, especially those with administrative privileges.
Below are examples of breaches that have taken place in 2019 that happened due to human error.
Incident 1 – Seattle-based UW Medicine improperly exposed electronic health records of approximately 974,000 patients. The exposure was due to the accidental removal of protections on a network server and as a result, the files were accessible for a period of over three weeks.
Incident 2 – Philadelphia Penn Medicine alerted 900 patients that their clinical information which included social security numbers have been exposed. Patient records were viewed by an employee without a work-related reason.
Incident 3 – Bangor, Maine-based Northern Light Acadia Hospital mistakenly emailed medical information for 300 patients.
Below are controls that should have been in place to help reduce the likelihood of these incidents from happening
- Ensure information containing PII are sent using secure file transfer or via encrypted channels
- Enhance ongoing security awareness and training efforts for employees
- Consider implementing data loss protection (DLP) software
- Enforce the security principles of need-to-know access, least privilege
- Ensure access to sensitive folders are restricted based upon specific job requirements
As you can see, the risks are real and are happening all around us. Inadequate safeguards over EHR can lead to severe consequences for healthcare companies, which is why it’s important to ensure that the recommended mitigating controls are in place and are regularly tested.
For more information, feel free to reach out to me at firstname.lastname@example.org or (404)-420-5918.