I have been thinking and posting a lot about HIPAA security lately. In the meantime Entegration has been involved in a large scale EHR implementation for one of our clients. The combination of the two activities has allowed me to come up with a theory that is downright scary. I don’t claim to be Nostradamus and I can’t see the future but I will throw out my theory anyway. I believe that the ongoing EHR gold rush will put a lot of patient information in electronic form and place it in the hands of inexperienced employees that have not been trained on proper security precautions. In addition, health organizations will think about security after the EHR implementation and not properly plan security prior to an EHR implementation. Together these events will lead to a huge amount of security breaches that will compromise patient information and could potentially derail the effort to modernize our health information systems.
As part of the ARRA stimulus package many health organizations from hospitals to solo practices are pushing to implement EHRs to receive the full Medicare reimbursement per doctor. There will be a big up-tick in the amount of health organizations that go from paper charts to electronic health records. There will also be a big push to start using existing EHRs to comply with the “meaningful use” standards which will require more functions and modules to be turned on within existing EHRs. In addition, more employees at health organizations will be required to utilize computers, tablets, laptops and other computing devices to perform their jobs. Taking all of these events together will mean a lot more patient information will be in electronic form and a lot more people will have access to the electronic information.
Over the years Entegration has been involved in many EHR implementations. There seems to be a common theme that I have noticed throughout all of these implementations and it is pretty consistent no matter who the EHR vendor is. Employee training of the EHR is usually a quickly thrown together process where the EHR vendor sends a trainer onsite to teach a series of group classes on how to use the EHR. These classes range from 1 hour to half of a day depending on the employee job function and responsibility. After the class is over the employee is sent on their way to start using the EHR. The training the employee receives is usually focused specifically on how to use the EHR, how to navigate screens, perform functions, etc. Rarely have I seen training that includes a security overview that discusses protecting patient information on laptops, sending patient information via email or addresses password complexity, etc.
Furthermore, many health organizations that go from paper charts to EHRs also go from simple computer networks to much more complex networks that are required for the EHR. In the process of implementing the EHR a large amount of computer equipment has to be purchased and installed including servers, desktops, tablets, printers, upgraded Internet connections and various other equipment. Unfortunately most health organizations that go from paper charts to EHRs do not go through a formal security review prior to the implementation. These organizations most likely will not concern themselves with the HIPAA Security Rule because before the EHR they don’t have a lot of electronic protected health information (EPHI). So most likely the organization will have very few if any security policies and procedures. They will probably not go through a formal risk assessment and will not perform vulnerability scans on the newly created complex network. Employees will not go through training sessions that discuss protecting newly formed EPHI.
What you will have is a lot of health organizations that start putting patient information into EHRs that are used by employees without proper security training. You will have health organizations that have newly created complex networks without proper security policies and procedures. These complex networks will not have the proper vulnerability assessments. Employees will not be trained on best security practices that discuss protecting patient information on laptops and portable devices, they will not have training on sending EPHI via email, or the use of complex passwords. The networks will not have the proper auditing in place that monitor the event logs to determine if there has been access to information by unauthorized personnel which could be internal employees or threats from external entities. Data will most likely be backed up but full Disaster Recovery technologies and procedures will probably not be in place.
We have seen a large number of security breaches so far in 2010. It seems like every week we hear about more and more patient information that has been compromised. This is happening already even before the big push by a majority of health organizations to implement EHRs. When all the forces come together will we see the flood gates open and patient information be compromised and data breaches occuring at an alarming rate? If this does occur will patients lose trust in their doctors and the use of EHRs? I don’t know the answers to these questions but if my theory is correct we will see a major occurrence of patient information data breaches that will put patient’s information in jeopardy and could potentially damage the effort to modernize our health information systems.
Related posts:
[...] Excerpt from: The upcoming patient information security disaster [...]
[...] this article: The upcoming patient information security disaster June 24, 2010 | admin | Tags: been-trained, ehr, electronic-form, gold-rush, hands, it security, [...]
[...] I mentioned in this post – we are seeing a lot of security breaches even before the majority of health organizations [...]