10-step process lessens risks of security crisis
10-step process lessens risks of security crisis
Be highly specific in your policies
While any method of maintaining and exchanging medical records has its risks, the increased accessibility of this information through computers should be addressed by risk managers. Here are 10 tips that computer security experts and risk management experts say you should take to limit the risks associated with electronic medical record systems and to make sure that your system is serving your organization:
1. Develop an information security program.
The best starting point is to make sure that your organization has the infrastructure necessary to control the information in place, says Dale Miller, president of Irongate Inc., a San Rafael, CA-based health information systems consulting firm. Each institution should have an information security manager who is accountable for the confidentiality and integrity of the information. This manager also is responsible for drafting the organization's technology policies and standards and for overseeing employee training.
2. Draft a technology policy.
Having a technology policy may be a hospital's best defense in the event it is sued over its use or misuse of its computers. "Ultimately the policy will be the defendant's exhibit 'A,'" says Diana J.P. McKenzie, JD, a partner at the Chicago law firm of Gordon & Glickson. McKenzie heads the firm's health care technology practice.
"If you have a technology policy, you can say [to the jury], 'I have a policy so this is what the person should have been doing, and they were acting contrary to it.'"
The policy should contain a general expression about the hospital's purpose in using computerized medical records and information networks. Also, it should have specific information about the use and deployment of technology. This should be distributed to employees on at least an annual basis, McKenzie says.
Examples of information that should be addressed in a technology policy are the use of passwords, pilferage of software, use of hospital laptops and even the location of a data storage room.
On passwords, a policy might include a warning to employees about creating a commonly known password such as their names or their children's names. It also might caution employees about the risks of sharing the password.
Policies also should contain a statement about discipline in the event an employee breaches the rules, says McKenzie.
3. Train employees.
It is not enough to simply have a policy on the proper use of technology. Hospital employees who may have access to patient information need to understand the importance of maintaining confidentiality. The sessions should be done on a regular basis. They should cover everything from basic, how-to information such as creating a password, to sessions where employees can voice their own concerns about technology issues.
"Most people in a health care organization are very concerned about confidentiality if they are working with patients," Miller says. "They see how it affects patients' lives. A training program gives them the opportunity to step back and think about this."
Risk managers may want to consider having their information technology department program their computers with warnings. Log-on screens and warning notices can be programmed to appear to underscore the need for confidentiality. These messages also can indicate the potential liability for unauthorized disclosure of medical record information, McKenzie says.
4. Consider imposing access restrictions.
Risk managers need to be concerned about unauthorized access to their records from both internal and external sources. When a computer is left on and ready to use, anyone inside the facility can access information -- whether they are otherwise entitled to or not.
To guard against this problem, risk managers should consider having access to computer records automatically restricted through automatic log-off programs. If an employee does not sign off the computer after a predetermined amount of time, the computer will automatically shut off. Lahey-Hitchcock has programmed its computers to log-off automatically after 15 minutes of nonuse, says Diane Drewes, RN, MA, risk manager of the Lahey-Hitchcock Clinic in Bedford, NH.
Other access restrictions that can be imposed restrict access on a need-to-know basis, McKenzie says. Based on an employee's password, the computer can be programmed to allow that person access to specific groups of information only.
Those restrictions typically are done by job descriptions, Miller says. But, but risk managers also need to consider whether they will inhibit an employee from doing his or her work.
For example, billing clerks typically do not require access to patient medical records. Computers can be programmed to only allow the billing clerk into the billing department's files. But an exception could occur if a patient questioned why an item was on a bill. Without access to the medical record, the clerk would not be able to answer the patient's question.
Because many employees of Lahey-Hitchcock also are patients at one time or another, the facility had a heightened concern about restricting access to its employees' medical records, Drewes says. "Even though everyone is doing their duties, sometimes employees don't want their co-workers seeing their medical history." To address employee confidentiality concerns, the Lahey-Hitchcock Clinic programmed its computers so that only medical providers could access employee medical records.
5. Maintain access logs.
The risk manager should require the technology department to maintain a log of computer access and require that the log be audited regularly. The audits will help ensure that employees are not trying to circumvent access restrictions and may be able to identify patterns of improper or questionable use.
If access logs are maintained, employees should be advised of this policy, Miller says.
6. Deny access to terminated employees.
Disgruntled employees can be one of the biggest risks a hospital can face. Some cases have been reported where ex-workers have deleted records, changed the information, or implanted viruses in the system. Yet many institutions fail to terminate their access to the computer system after they are fired.
As soon as employees are terminated or resign from the hospital, their computer passwords should be voided so they can no longer access the computer system.
7. Conduct security audits.
The hospital's technology staff should conduct periodic security audits to help identify any areas of risk to the medical records, McKenzie says. The audits should include unannounced evaluations of whether technology policies are being followed and an analysis of their effectiveness.
Hiring an outside hacker to try to break into a health care organization's computer network can proactively identify security weaknesses, she adds.
8. Prepare a disaster plan.
Most hospitals are prepared to take care of their patients if power is lost, but do not consider how their plans may be affected if they cannot access their computers. If you are going to computerize your medical records, it is imperative that there be alternative ways to access information, says McKenzie.
Risk managers also need to consider how to update the medical record with new information that was gained while the system was down due to a disaster, Epstein advises.
9. Protect against viruses.
Computer viruses can destroy an entire computer network in a blink of an eye. Risk managers should ensure that their technology policies include regular virus checks of all hardware and software. Employees should be prohibited from using outside software on the hospital systems, McKenzie warns.
10. Negotiate indemnifications in contracts.
Risk managers should try to get its computer vendors to assume as much liability as possible for loss through the use of indemnifications in the contract, says McKenzie.
The indemnifications could cover losses for the vendor's wrongful acts or negligence when installing or maintaining computer hardware and software.
If your institution uses clinical practice guidelines software, the indemnities take on added importance. "If the software is designed incorrectly, there could be a products liability issue," Epstein says, and the risk manager wants to make sure that the software manufacturer is responsible for any accidents that arise out of their information problems.
Before investing in an electronic medical records system, risk managers are advised to investigate state laws. A handful of states have so-called quill pen laws which require medical records to be kept in paper form. The number of states that still have these antiquated laws is shrinking as more and more health care institutions move toward electronic medical records, McKenzie says.
In addition, the Joint Commission on the Accreditation of Healthcare Organizations in Oakbrook, IL, recently released new standards that both encourage and scrutinize the use of electronic medical records, Epstein points out. (For more information on these standards, see related story, below.) While today's technology can vastly improve the quality of health care, risk managers need to ensure that it is not used at the expense of the patient's privacy and protection. *
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.