Though EHR security is just one component of a healthcare C-level executive’s job description, securing EHRs has various sub-components and best practices as well. Depending on which day it is, a healthcare CIOs or CISO may focus on the EHR Meaningful Use Program’s certification standards, data encryption methods or how the organization technical infrastructure is going to affect data security. Read through these five EHR security considerations and learn the different approaches organizations take to data security.
1. Auditing for EHR Meaningful Use Certification Standards
Many healthcare organizations have already taken advantage of the federal EHR Meaningful Use Program and will continue to do so. But a key aspect to EHR certification under this program is data security. For example, David Sheidlower, CISO of Health Quest, recently told HealthITSecurity.com that Health Quest is well into Stage 1 Meaningful Use and completed some go-lives with our hospital EMR, it has a little more breathing room to work on the security framework for Stage 2 Meaningful Us. Any initiative around meaningful use is centered around meaningful use-compliant applications, balancing responsibilities isn’t easy. “With a risk assessment, evaluation of controls and a security framework, while I’m laser-focused on meaningful use requirements, I need to make sure I’m not ignoring other parts of the organization,” he said.
For Shafiq Rab, CIO and Vice President of Hackensack University Medical Center, meaningful use audits serve as a solid baseline for his overall security program. Rab explained that Hackensack University Medical Center has been through Stage 1 Meaningful Use security analyses and now it’s getting ready for Stage 2 Meaningful Use.
“We know that one day we’ll be audited and because of that we look to see if there are any deficiencies. From a few different risk assessments to multiple penetration tests to data loss prevention (DLP), we have put all those things in place,” he said. “And through those tests, we have a risk mitigation process where a committee meets every month and helps [uphold high security standards].”
2. Endpoint security
Every EHR security framework is (or should be) multi-layered and, as Ron Mehring, director of information security for Texas Health Resources, explained back in February, securing end points is an important consideration. Texas Health Resources views its architecture in layers and then applies non-technical and technical security approaches to each layer to protect information and systems.
We have a boundary layer security area with firewalls and intrusion prevention systems and an endpoint security layer where we’re securing different end points such as desktops, servers and mobiles devices. We have that layer that resides, more or less, in between the boundary and endpoint security layers where we’re doing things such as database activity monitoring, managing privileged access, and integrity monitoring on specific high-value systems.
How does endpoint security fit into your architecture?
3. Going virtual
Infrastructure plans effect EHR security and vice-versa and C-level executives need to make the best operational and security decisions possible. Bruce Forman, Chief Information Security Officer (CISO) of UMass Memorial Medical Center, for example, said that UMass is moving toward a virtual desktop environment (VDI). This decision grants him more centralized access to the information, as it essentially never leaves the data center. But it also helps with UMass’s BYOD security initiative for laptops and for tablets since they will enter the environment in the same manner.
We encrypt all of our laptops and USB devices and have even started encrypting desktop devices because they’re getting smaller and smaller and easy enough to walk away with. With VDI, though, it matters less that the device is encrypted because you don’t attach to your own internal network and you can’t download the data virtually.
4. Encrypting data at rest and in motion
The onus is on a CIO or CISO to encrypt EHR data in a strong manner. There are a number of routes that these organizations can take toward encrypting data at rest and in motion. Vic Wadhawan, Chief Security Officer at the Drayer Physical Therapy Institute, said he uses a security vendor that supports Secure/Multipurpose Internet Mail Extensions (S/MIME) email encryption and Privacy (PGP) to alleviate some burden of managing keys and certificates.
But if organizations are looking for firm guidance on encryption, they can look at National Institute of Standards and Technology (NIST) publications on encryption. For example, the Department of Health and Human Services (HHS) uses NIST Special Publication 800-52 Revision 1 as a foundation for encrypting healthcare data in motion. And HHS still employs NIST Special Publication 800-111 for full disk encryption, volume and virtual disk encryption and file/folder encryption best practices.
5. EHR security audits
Just who’s going in and out of a healthcare organization’s network and potentially gaining access to EHR data? Nancy Davis, system director of privacy and security for Ministry Health Care, explained that her organization does EHR access auditing through a combination of internal and external auditing applications. Davis said step one should be to have an external auditing tool and then to continually examine audit reports. “Take care not to create audit reports and let them stack up without reviewing,” Davis said. “There should be a policy and auditing plan in place.” source