By TerryAnn Fitzgerald
Since we began this series of blogs detailing the impact that electronic health records (EHR) will have on your enterprise, Congress has passed its massive health care reform bill. This, coupled with last year’s HITECH Act—which included $19 billion in incentives for health care organizations to deploy EHRs—will provide the impetus that hospitals, physicians practices, insurance companies, independent laboratories, clinics and other medical entities will need to start or further their EHR rollouts.
However, as Computerworld’s Lucas Mearian points out in a recent article, the more patient data becomes digitized, the more likely security risks will grow. To overcome these threats, health care organizations must put their IT time and money into not just encryption, but protecting overall network access. The article points out that encryption “doesn’t mean you’ve protected medical information, because access control is the real issue. New cybercriminals do not do what the old cybercriminals did. They realize you’ll be encrypting the data and instead access the application and steal access rights.”
To counter this black hat offensive, health care organizations need to take a multi-layer approach to securing patient data in wired and wireless environments. While encryption is still be needed, network access control, intrusion prevention and end-to-end monitoring will be key components in avoiding EHR leaks.
For comprehensive security, network access control will have to be applied at the user and device levels. As we’ve mentioned in the past few blogs, IT will have to get very specific about policies, detailing who can view what parts of patient records in what environment. For instance, IT will not want a consulting doctor to be able to access a patient’s file once he is no longer on the case. That can be controlled through centralized management tools that control access rights. IT can also set policies that restrict medical personnel from accessing patient records from unprotected devices or via unprotected wireless networks. These tools can even let IT demand that only devices with a certain level of virus protection be allowed to view patient files.
In addition to network access control, a health care organization will need to be able to monitor, detect and remediate security issues that arise. To do this effectively will require management tools that can automatically gather and analyze log and event information from the hundreds or thousands of devices in the network. These tools must be able to consolidate information from wired and wireless networks into a single view so that IT doesn’t have to toggle between individual management windows to find common faults.
Once a vulnerability is identified, the management tools should be able to quarantine the device and either automatically remediate the problem, such as pushing an anti-virus software update or alerting IT so they can address the issue.
Finally, to achieve complete security in an EHR environment, IT must be able to audit and report on activities. If there is no overarching management system, then getting an accurate view of a healthcare organization’s security posture for auditors will be nearly impossible. A centralized management platform will enable IT to easily generate targeted reports that speed the auditing process and enable ongoing compliance.
Keeping all of this in mind as EHR rollouts begin or continue will ensure that patient records will be properly protected and safeguarded from malicious activity.
Tags: EHR, network access control, Security
