The 'Human Side' of EHR SecurityEHR Security Functions Alone Inadequate to Protect Data
To ensure the security and privacy of EHRs requires the development of appropriate rules, policies and procedures, Cassidy says. "It's the human side of actually using the software that makes or breaks the security."
Without adequate governance of the use of EHRs, she says, the applications "are just another software product that could be abused."
In an interview (transcript below) about preparing for participation in the HITECH Act's EHR incentive program, Cassidy:
- Urges hospitals and clinics to carefully monitor "what's turned on and what's turned off" when it comes to the security functions of EHRs;
- Calls conducting a risk assessment essential, portraying the process as an often "overlooked" and challenging aspect of qualifying for the HITECH program;
- Points to the need to ensure that audit logs adequately track all EHR use and that role-based access controls are in place;
- Stresses the need to have security experts on staff, including those with the AHIMA CHPS certification (Certified Healthcare Privacy and Security);
- Describes the need to understand the EHR certifications offered by the "authorized testing and certified bodies" designated under the HITECH incentive program as well as the more comprehensive, independent certification of EHRs offered by the Certification Commission for Healthcare Information Technology.
AHIMA has more than 60,000 members who work in health information management roles. In addition to serving as volunteer president of AHIMA's board, Cassidy is vice president of HIM product management for QuadraMed Corp., a software company. Previously, she served as an executive with the Certification Commission for Healthcare Information Technology, senior manager at Price Waterhouse and Ernst & Young, and as an HIM administrator at two major teaching hospitals, including the Cleveland Clinic Foundation.
HOWARD ANDERSON: For starters tell us a bit about AHIMA.
BONNIE CASSIDY: The American Health Information Management Association is a membership association of health information management professionals. There are over 60,000 members, and AHIMA is dedicated to the effective management of personal health information. ...
ANDERSON: To earn EHR incentives from Medicare or Medicaid, hospitals and physicians have to use certified EHR software that includes a list of specific security functions, including encryption and authentication, among many others. What is the best way to go about comparing and contrasting the effectiveness of the security functions of the EHR software that is out there?
CASSIDY: To really understand the security functions of the EHR software, the providers must be knowledgeable about what exactly people mean when they say a certified EHR. So to begin with, I would recommend providers check out the Certification Commission for Healthcare Information Technology website because that is the first area to really see what is included.
So first the buyer has to know what type of certification a product has, and now there are two different types of certifications that are available; there is the CCHIT 2011 certification, an independently developed certification that includes a rigorous inspection of the EHRs' functionality, interoperability and security. As part of that whole independent evaluation, successful use is also verified by CCHIT at lives sites and product usability is rated.
Then the other type of certification that we have now is for the ARRA/HITECH EHR incentive program. ... for which several Authorized Testing and Certification Bodies have been selected, including CCHIT ... So it is important that you know what is in the scope of each one of those two types of certifications.
The second thing the buyer has to know is what security functions specifically are included in those certification test scripts -- what security functions are tested. When we talk to providers, they are assuming oftentimes that everything needed for security is included in that certification process.
So just like privacy, security can be included in the EHR software, but it is the human side of actually using that software that makes or breaks the security. ... things like the governance and the rules and the policies and the procedures. All of those that have to do with using the EHR really make a difference for the privacy aspect. Without the EHR governance, the EHR is just really another software product that could be abused. ...
An area that the HIM professional is responsible for in organizations is the EHR governance. The EHR software can have the security audit logs, for example, that include all of the various steps that are tested, and of course the software is certified. But the user can turn off that functionality, and the EHR is able to work without it. Then your entire security system is violated. So you really need to be monitoring those security aspects and what is turned on and what is turned off.
Risk AnalysisANDERSON: To qualify for the HITECH Act incentives, hospitals and physicians must conduct a risk analysis and then take action to mitigate those risks that they have identified. What tips would you offer in how to conduct an effective risk assessment, especially if you have a limited budget?
CASSIDY: ... While the technology selected is a major component in meeting the meaningful use requirements, an overlooked and really challenging aspect is the performance of that risk assessment to protect the confidentiality, the integrity and the availability of the health information.
Under the HIPAA security rule there are two different types of assessments. One is a compliance assessment, or an evaluation where you really have to answer questions like, "Where do we stand with respect to the regulations?" or "How well are we achieving this ongoing compliance?" So within that standard you are performing a periodic technical and non-technical evaluation, and at the end of the evaluation you have a summary of the compliance indicators.
The other type, again required by the HIPAA security rule, is the risk assessment for an analysis that answers the question: What is our exposure of information assets like protected health information, and what do we need to do to mitigate these risks?
So the first one is really high-level. The second one is really about getting down deep into the weeds and doing a thorough assessment of the potential risks and vulnerabilities within your organization.
For the risk mitigation, the organization should really also be conducting their own readiness assessment. They can do that themselves to really answer questions like: "Have we implemented adequate privacy safeguards and have we implemented adequate security safeguards?" ... Doing their own risk mitigation readiness assessment ... will really bubble up all of the issues that they need to address for privacy and security.
Risk MitigationANDERSON: So what do you think are some of the key risk mitigation steps that many organizations will wind up having to take as a result of their risk assessment?
CASSIDY: ... Many right now are taking a look at the meaningful use regulations and then they are also taking a look at their HIPAA privacy and security exposure. They are trying to do a review of that security risk analysis and really implement those security updates as they are needed, right along the same time they are identifying any security deficiencies or working on meaningful use.
So many times, they could be dealing with their security logs or their audit trails. They could be finding out that certain items that needed to be tracked or included in their audit trail are not being tracked, or certain key components are missing. But they are never going to know that until they dive in and really find out what is included ... and use access controls or roles-based controls ... to see who has access and do a lot of testing.
It's about taking a look at policies and procedures and testing them and seeing if they are enforced and also going back and seeing the consequences.
You have to monitor what is being done throughout the organization -- working with human resources, for example, because ... they have to address issues through employee disciplinary action as well. You have to work with your employees that are not in health information technology or in health information management, including care providers with access to patient information, to provide constant training and re-training of the workforce on the confidentiality of the information.
Privacy ProtectionANDERSON: Finally, what other advice would you offer to organizations about how to ensure the privacy of patient information, especially as they implement electronic health records?
CASSIDY: Well every provider organization has to have a health information management professional working as part of the team. ... Now more than ever, experts need to be sought out to ensure that appropriate measures are taken to protect the health data. AHIMA has a certification for those with expertise in healthcare privacy and security (that is referred to as a CHPS) where you are certified in healthcare privacy and security. I would recommend that providers look for someone who has earned that designation to have that person on the team as they are testing and certifying for privacy and security and doing evaluations within their organization. AHIMA CHPS is the only certification that combines privacy and security within one credential in the healthcare industry.
That certification ensures that you have got the advanced competency in designing and implementing and administrating the comprehensive programs that the organizations need to make sure that they are constantly doing their own self-assessment on all areas of privacy and security as they move forward with HIT adoption.