October 11, 2010

Securing Remote Access to EHRs
By Keith Fulmer, MHSA, PMP
For The Record
Vol. 22 No. 18 P. 6

As healthcare facilities adopt EHRs, data security becomes an increasingly important and worrisome issue among regulatory bodies. While most EHR systems are designed to provide a high degree of protection within a facility’s network, transmitting protected health information (PHI) and allowing remote access to electronic systems can pose major security risks.

Since the use of EHR systems is relatively new, few healthcare providers are aware of the security dangers that surround electronic record transport and remote access. It’s crucial that health information professionals understand these challenges and lead their organizations in developing measures to protect PHI.

Remote Risks
When working with EHRs, most healthcare facilities will find they must be able to give other facilities or remote coders access to electronic records in their systems. Naturally, staff will want to e-mail records since it is a quick and easy transport method. However, e-mail is inherently unsafe. Most consumer-level e-mail systems—and nearly all free, Web-based e-mail services—are not secure. When an unprotected message is transmitted electronically, it can easily be intercepted and read by unauthorized individuals.

If records must be sent electronically, healthcare facilities should ensure they have some control over how the records are accessed. One sound strategy is to provide a controlled download site that allows staff to e-mail a link to an authorized user outside the system, allowing that user to download the record through a secure server controlled by the healthcare facility. This is safer than sending the record as an e-mail attachment even when the e-mail is protected.

Healthcare facilities should also provide tools to encrypt a record with a password prior to sending. Some e-mail encryption services can automatically identify and encrypt messages containing PHI to help prevent accidental transmission of confidential patient data. However, these tools are generally expensive, making them beyond the reach of many facilities’ budgets. If these services are too costly, it’s important to develop policies that discourage or prohibit sending records via e-mail.

Facilities that employ home-based remote coders in an effort to provide an efficient alternative to in-house coding may encounter extra data security concerns. If the facility does not control the systems remote coders use to access the network, there could be opportunities for unauthorized access, since the network would be protected only to the level of an end user’s hardware.

If remote workers use their own laptops, they could create vulnerabilities in a facility’s network, increasing the threat of security breaches as well as viruses and malware. Laptop use creates another concern in that they are designed to be portable and can be used outside a private workspace. According to HIPAA, remote coders must use a private space with computers dedicated to coding, and facilities must confirm compliance with this rule.

Once a facility has resolved the issue of laptop use, it must ensure that remote coders can safely log in to facility systems to access medical records. Healthcare organizations should provide coders with hardware or offer virtualization solutions such as a secure portal that allows coders to log in to the network from their own computers. Other alternatives include choosing not to allow remote coding or engaging a responsible staffing firm with high-quality data security solutions to provide remote coding services.

If a healthcare facility chooses to employ its own remote coders, IT staff should equip all laptops with full disk encryption and install software such as Computrace that allows the facility to track the computers and secure them and the data they hold even if they are off the network. This technology can show IT managers where the laptops are, who uses them to log in to the network, what software the laptops have installed, and how well the computers are encrypted. All computers used for remote access should contain the latest virus and malware protections.

Developing EHR Security Policies
When implementing EHRs, an interdepartmental team should be formed to evaluate a facility’s data security needs, determine the best solutions, and set security rules. Both the IT and HIM departments should play a significant role in defining policies and procedures. IT expertise is vital to selecting the appropriate security solutions and developing guidelines, while HIM staff must test the security procedures to make sure they don’t slow work processes. Together, the IT and HIM departments can establish the best security strategies that will allow staff to work efficiently and productively.

To ensure PHI is properly protected in an EHR, healthcare providers should do the following:

• Assess and adjust PHI access levels: Facilities should evaluate how PHI is stored within their system and determine which staff members have access to patient data and how much data they should be allowed to handle. Access levels should be adjusted so that only authorized personnel have access to PHI.

• Set rules for e-mail: Whether it’s decided that transferring PHI through e-mail will be prohibited or a secure downloading solution or e-mail encryption will be employed, a facilitywide policy must be established and enforced.

• Create guidelines for remote access: If a facility plans to allow authorized users to log in to the network remotely, the team must determine whether the organization will provide access for remote workers with hardware or through secure virtualization technology.

• Communicate policies with staff: Staff members should receive security training that stresses the importance of data security measures and the steps that must be taken by all employees to comply with security rules. At least once per year, refresher courses should be conducted to emphasize key security precautions and communicate any policy changes. If a significant change is made in government regulations that results in the modification of facility security procedures, training should be conducted as soon as possible to inform the staff of the changes.

• Monitor security: It’s important to ensure that processes are put in place to monitor security procedures and evaluate how well users are following guidelines.

If healthcare facilities take the proper steps to safeguard EHRs, the threat of security breaches and resulting HIPAA penalties can be minimized, and patients will likely be more confident that their electronic health information is well protected. Although HIT is widely supported among industry leaders as an advancement that has the potential to improve quality of care and patient safety, consumer approval must still be earned. To take full advantage of HIT’s benefits and build patient trust, healthcare facilities must establish the right policies to protect electronic health information.

— Keith Fulmer, MHSA, PMP, is vice president of health and life science operations for Kforce, Inc, a professional staffing firm.