As technology grows more mobile and security breaches become more common, healthcare organizations face a complex challenge in keeping patient records secure.
Ask any chief information officer how to best secure network data and electronic patient records, and two common themes will likely emerge: technology and vigilance. The stories of private patient data falling into the wrong hands are numerous: Thieves steal nearly 200,000 account records from a health insurance provider. A major university hospital announces it has lost more than 80,000 patients' files. Another provider reports stolen backup tapes containing records on 196,000 customers from a third-party handler of insurance claims. As technology becomes more mobile—think of stolen or lost flash drives and laptops—keeping data secure becomes increasingly difficult. But it can be done.
Who's looking at what?
At the rural nonprofit Mountain Family Health Centers in Colorado, the organization's two federally qualified health centers use electronic medical records, and about 70% of the group's 70 employees are mobile, meaning they can access critical information from laptops and tablet PCs, says Jason Greer, information systems director. The technology boasts a laundry list of benefits—but it also comes with its own set of security concerns. Greer says his department has implemented a number of policies, including a strict auditing process, to prevent breaches from occurring in the first place.
"We try to take a proactive approach. Each month we perform an audit to make sure that people aren't accessing data they shouldn't, and are able to access the data they need to," says Greer. Mountain Family Centers' system ensures that the billing department can't look at lab results. Conversely, while providers can research patient records, they can't research the billing side of those records. "We have set up some real firewalls based on user roles," Greer says.
Because so many of Mountain Family Centers' clinicians are able to access information remotely via laptops, Greer has also opted to take on the additional expense of a security measure that allows him to track and erase a laptop's hard drive remotely in the event that it is lost or stolen. "Some of these are expensive processes, but everyone here recognizes the importance of keeping this information safe," says Greer.
Help from the top
The need for "leadership buy-in" is a familiar refrain when it comes to technology initiatives. But buying into a concept and supporting that concept with action are two different things.