The Health Insurance Portability and Accountability (HIPAA) Privacy Rule requires electronic health record (EHR) security. As we manage more and more electronically protected health information (ePHI), and the volume of healthcare cyber-attacks rises, EHR security is top of mind for most healthcare practices. And, patients care about it too. According to a 2018 study, 80% of patients noted that privacy is very important, and 76% rated data security as very important. Surprisingly, EHR privacy and security issues were more of a concern to patients than rising healthcare costs.
According to statistics published in the HIPAA Journal, over 230,954,151 healthcare records were exposed, lost, or stolen in the past decade as a result of cyberattacks. And, unfortunately, the threat is growing every year.
With the threat of EHR security breaches growing annually, healthcare providers must take active steps to secure data and protect patient health records. In this post we explore some of the most critical EHR security measures to protect your patients’ privacy.
Ensure your Software is Certified
Before you look any further to secure you EHR, make sure you are using a software that’s been certified by the Office of the National Coordinator for Health IT’s (ONC) Authorized Testing and Certification Bodies (ONC-ATCB). These testing bodes pre-analyze EHR software to identify any clear security issues based on hundreds of criteria within the following categories:
- Functionality – Ability to create and manage patient records.
- Interoperability – Ease of integration and communication with other internal and external systems.
- Security – Protection methods to secure data from threats.
Only EHR systems that meet all security regulations and pass an audit will earn the ONC-ATCB certification. To keep your patients’ information safe, use only ONC-ATCB certified EHR software.
Implement Physical Safeguards
When you think of EHR security, we often think of cybersecurity. However, physical security, like locks and on-prem security systems are equally important to consider. Physical safeguards that prevent unauthorized people from physically accessing information fall into two categories:
- Facility and access control – The ability to limit access to the building using security features like access controls, locks, and camera systems.
- Workstation device security – Practices, policies, and procedures that specify the proper use and access to specific workstations and electronic records. There should also be policies covering the disposal, transfer, and re-use of electronic media.
Though there are not specific implementation specifications pertaining to physical safeguards, they are a critical part of HIPAA compliance. Each practice is empowered to design their own physical safeguard system. We suggest implementing robust facility and access control and workstation device security protections.
Implement Digital Access Controls
After your physical space and any place you store data is secured, digital protection is the next frontier. This includes security measures like passwords, PINs, and security questions that prevent unauthorized users from accessing computers or software.
Not all digital access controls are created equal, we suggest implementing the following best practices:
- Lockout controls – Set up controls to limit how many incorrect password attempts can be completed before the user is denied access for a set period of time.
- Complex password requirements – Require that capitalization, numbers, and special characters be used in passwords to make them harder to guess.
- Regular password resets – Ensure that all of your system users are regularly required to update their passwords.
- Security questions – In order to complete set up of login information, require users to enter security questions that only they would know the answer to.
- Two-factor authentication – Add two-factor authentication after password entry that requires users to enter a PIN for additional level of access control.
Hold Regular Staff EHR Security Training
Even with strict physical and digital safeguards, your system users themselves can pose security risks. Things like sharing workstations and passwords are just a couple examples of poor EHR security practices. To mitigate these types of security vulnerabilities, take time to educate your staff on your physical and digital safeguards, the HIPAA privacy rule, and common ways staff may mistakenly leave patient data exposed.
Enable an Electronic Audit Trail
As an added layer of security, set up an electronic audit trail software to automatically track which users complete which actions within your EHR. This makes it easy to spot and address suspicious activity before it becomes a more significant issue.
Conduct an EHR Security Risk Analysis
An EHR security risk assessment, or risk analysis, is an in-depth look into your systems to identify potential vulnerabilities or threats. We suggest following the best practices in this post to conduct your assessment.
Work with a Trusted EHR Security Partner
Managing EHR security is complex and time consuming. It is difficult to balance running a medical practice and delivering outstanding care with the back office labor of maintaining EHR security and functionality. That’s where a partner like Physician Select Management comes in. For decades, we’ve helped healthcare practices maintain full system security and HIPAA compliance. Contact us to learn how we can help your practice protect patient privacy and prevent and EHR security breach.