EHR: Marrying IT and Healthcare Providers for Security

Privacy-and-Security-jigsawBy Edgar Wilson, Marketing Consultant and Freelance Writer
Twitter: @EdgarTwilson

Over sharing is no longer just an obnoxious trend on Facebook—it is a professional hazard for healthcare professionals everywhere. With the advance of increasingly sophisticated EHR systems built around access, the risk of sharing patient documents and information faces some critical new hurdles.

Nurses, physicians, patients, specialists, and even insurance agents are all in line to get access to the same information via EHR systems. While more systems and providers advance towards greater access and information integration, integrated security has yet to become standard. As it turns out, the biggest security threats aren’t the ominous, external ones—they are simple human errors. A lost device, a weak password, or even just carelessness can quickly compound into a serious breach—and possibly an expensive one.

This is what integrated security is all about—making security not just a consideration, but a priority across the board, beyond IT departments. Just as everyone along the chain is going to have a role in EHR adoption, so everyone must also play a part in protecting access and data security.

As if healthcare professionals didn’t have enough to worry about—with HIPAA and Meaningful Use presenting incentives and punishments at every turn—now they have to function as IT security as well?

Unfortunately, that seems to be the most effective way to cope with the digital world of informatics. After all, cyber criminals are already proving willing and able to launch newly vigorous attacks directly targeting the medical community. To counter, security will have to grow beyond the IT box in which it has so comfortably sat for so long.

The shortcoming is not necessarily inherent to IT departments—the challenge of updating security practices and creating a more integrated, security-minded cultural throughout the clinical environment (or smaller practice, for that matter) would be daunting to anyone.

What is more, the upfront (not to mention long-term) costs associated with implementing an EHR system can make it prohibitively expensive to hire additional security experts to contend with the increased risk and related challenges that come with the upgrade to digital.

Regulations governing Meaningful Use and the associated incentive program are already subject to security audits and obligated to conduct Security Risk Assessments before they can qualify; normally, this comes under the purview of internal IT departments, who either conduct (or outsource) the assessment, then take responsibility for future security management and compliance.

But EHR systems are much more complex than this model can effectively accommodate. The highly mobile nature of modern platforms—incorporating online access, especially from phones and mobile devices—broadens the vulnerability of sensitive information in a way internal IT departments cannot independently contend with.

Developing an integrated approach to IT security doesn’t have to be an onerous process—a review of policies, a calendar for updating passwords, even simply facilitating some inter-departmental communication can pay dividends by fostering improved awareness and cooperation.

In an era seemingly defined by over sharing and digital mobility, healthcare professionals are in a difficult position. An integrated approach based on common sense solutions and collaboration will certainly not replace IT experts, but it will make their efforts more impactful. After all, the point of EHR implementation is to build smarter tools, not create security headaches.