Guest Column | May 3, 2016

Proactive Security Measures Essential To Preventing Data Breaches

Stephanie Tatum, director of health information and informatics management and privacy officer, Oakland Regional Hospital

By Stephanie Tatum, director of health information and informatics management and privacy officer, Oakland Regional Hospital

When our organization, Oakland Regional Hospital, a 45-bed general acute care hospital in the Detroit metropolitan area, migrated to a new EHR system, we also had an opportunity to improve our data security policies and procedures. With our former EHR, our data security protocol was reactive based on reported incidents, which we realized was not sustainable from a risk management perspective.

Our new EHR has allowed us to implement more proactive data security policies and procedures, which gives my department, health information management (HIM), a greater level of transparency into who accesses protected health information (PHI) and from where, including off-site.

Crucial to our success was partnering with CareTech Solutions to ensure our new EHR vendor helped us establish an audit trail for each access attempt. Together, we also revised our IT help desk ticket process to ensure access permission levels were promptly updated when staff and provider roles changed at the hospital.

Meaningful Use Prompting Changes

The impetus for switching EHR systems was so our hospital could attest for the Meaningful Use (MU) program. Our new EHR system is cloud-based, which among other interoperability benefits, helped us achieve the MU program requirements related to offering patients electronic access to their health information. This increased PHI access from the outside and due to the cloud-based platform, our hospital could potentially increase our breach risk, which carries significant penalties.

The U.S. Department of Health and Human Services’ Office for Civil Rights may penalize breaches as much as $50,000 for each incident up to a maximum of $1.5 million annually. With cyberattacks reaching a new milestone last year, according to the Ponemon Institute, we wanted to have greater control and oversight into our records access. With our new EHR, all you need to access PHI from nearly anywhere is a recognized user ID and password, so having a clear audit trail was important.

At that point, we began implementing a role-based access control (RBAC) model for data security, which grants different levels of PHI access permission based on each provider or staff member’s defined roles. This process required us to first assess the entire organization and determine everyone’s PHI access needs. Once those needs were established, we examined how the new EHR could be configured to limit access for some staff while offering more privileges for others. Roles were then associated with the pre-determined permission levels.

Changing Roles, Changing Access

Developing an audit trail that could track the “who, when, where, and what” of EHR access was also important to reduce our breach risk. An ancillary goal of the audit trail was to help us determine if our RBAC policies and procedures were being followed.

For example, responsibilities and positions frequently change at hospitals. Prior to implementing the RBAC model, former employees were still able to access records, which is a major PHI privacy and security concern.

To enforce our policy, we revised our exit protocol for when an employee leaves the hospital. The new protocol requires our human resources department to submit a ticket to our IT service desk to have the former employee’s access disabled. This safeguard prevents the former employee from accessing records in any of our facilities as well as off-site through the web.

Since implementation, we started conducting more proactive audits at random to assess the different types of permissions each role had and if the security controls were effective. In these random audits, we want to ensure patient privacy is protected, but we also need to determine if the varying permission levels are interfering with someone’s job duties. We are lucky our hospital is small enough where I am in frequent contact with our department managers, and we can easily review the roles and their health information access requirements. A larger organization may need to conduct periodic scheduled assessments with its HIM department to ensure roles and permission levels are aligned.

Easier Access Requires Greater Security

Transitioning to a cloud-based EHR has helped our hospital make records more easily available to office-based physicians, which helps improve care continuity. Patients also appreciate being able to view test results and their chart information at home, or on a mobile device, which can improve patient engagement. Internally, the fewer release of information requests from providers has allowed my staff to concentrate on other higher-value initiatives.

With these benefits come a need for tighter security controls and broader oversight into health information exchange to prevent accidental or intentional breaches of PHI. After all, protecting health information with standardized security policies and procedures is in the best interest of our organization’s reputation and financial health, but more importantly, it is what’s best for our patients’ privacy and well-being.

About The Author
Stephanie Tatum, BS, RHIA is director of health information and informatics management and privacy officer at Oakland Regional Hospital. As Director of HIIM, she has led the facility to the successful attestation of the Stage 2 Meaningful Use Incentive Program and is currently preparing the facility to begin the process for attesting to Stage 3 objectives. In accordance with the HITECH Act, she has increased security measures by instituting Role-Based Security and has also participated in the facility’s Security Risk Assessment to assess current level of risk as a whole and develop a remediation plan to improve the areas of concern.