As clinical labs move from paper-based record keeping to EHRs, strategies for properly protecting electronic health data will, by necessity, become a critical part of day-to-day management.
By Jennifer MacCormack
Electronic health data is a prime target for criminal activity, including identity theft. Hospitals and large healthcare providers are also increasingly being targeted for ransomware attacks, where the organization’s computer systems are disabled by malicious software or sensitive patient information is hacked and held for ransom. In light of these risks and of healthcare entities’ responsibility under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to safeguard patient data, organizations of all sizes need to give careful consideration to the way their patient information is handled, stored, and shared.
Paper patient charts are becoming a rarity as medical providers transition to electronic health records (EHR), often connected to a laboratory information system (LIS) on one side and a patient portal on the other. All of these electronic systems are vulnerable to unauthorized access, and it is important to understand your responsibility in keeping your patients’ protected health information secure. The systems that you choose to use are designed and maintained by software developers; however, it is your facility that is responsible for protecting the patient information that they contain.
Discuss Electronic Health Data Security with Your Developers
When deciding on a new software system for your facility, it is important to understand the layers of security that their software provides. It is also important to understand the vulnerabilities of the systems so that you can make an informed decision and implement procedures to mitigate any possible risks.
Questions to Ask
Where is the software hosted? On servers within the facility’s physical location, or an internet-hosted (“cloud”) system? Cloud-based systems reduce risk of electronic health data being lost due to natural disasters affecting your facility, and developers control and update security settings as needed to keep up with threats. However, cloud storage also means that your access to the system will be dependent on the quality of your internet connection, and the data is out of your hands. A facility-based system will ensure your data is accessible, but it will require on-site server space and it may be more difficult to keep up with software patches and updates.
How is access to the system controlled, and is there an audit trail for activities within the system? Can access be restricted based on user roles? Some software allows for setting different levels of permissions within the system, so that users can only access what they need to perform their roles. For example, a physician needs access to patient laboratory test results, but the billing department does not.
How, and how often, is electronic health data backed up? Is the backup performed automatically by the system, or manually by the developer or laboratory staff? How would staff access a backup if necessary?
What type of IT training and support is included with the service? Consider your own facility’s IT capabilities, and whether the service will provide comprehensive training for your staff to enable them to change settings, perform maintenance, and troubleshoot problems. If phone or internet support is needed for maintenance or troubleshooting, will that come at an extra cost?
Regardless of the system that you choose to use, there are several ways that you can increase your data security and keep patient data safe.
Restrict Access to Systems Containing PHI
Most electronic health data systems and websites already require that passwords be unique, long, and contain a variety of special characters to make them harder to guess. Passwords, though, are only the first line of defense; security-conscious organizations are increasingly turning to two-factor authentication to further protect their systems. In two-factor authentication, extra steps can confirm that the person accessing the system is, indeed, who they say they are. Some methods require that a keycard or ID badge is scanned and authenticated prior to a user entering a PIN or password. Other systems send a temporary code to a user’s email or phone, which must be entered separately before access is granted.
Ideally, all systems you use should have a means of logging user activity and providing an audit trail for all data entry and access. This can assist in determining the source and scope of any breach.
Use Blocking Software
Risk to electronic health data often comes from outside of the EHR itself. Malicious programs can be inadvertently downloaded from websites or sent as attachments in emails.
Many email systems scan attachments for malicious software, or warn a user that an email is coming from outside the organization and may not be trustworthy. Even so, it is best to warn staff against opening attachments that they are not expecting, especially when they are not coming from coworkers.
Email “phishing” is also a security problem: a criminal entity sends an email containing a link, asking a user to click through to access a familiar website and sign in. In reality, the website is a copy and when the user enters their login and password information, it is captured by the “phishers” who can then use it to access the real site and any data stored there.
If staff have regular access to the internet on office computers, consider using software that will block suspicious sites. You may go further and choose to keep a very restricted list of permitted sites, with everything else blocked.
Educate Your Staff on Keeping PHI Safe
The best security systems are only as secure as the people using them. Make sure that staff are trained on all security policies and procedures, and consider including security knowledge and habits in annual competency evaluations or personnel reviews.
Things to watch for:
- Use of very simple passwords like “password” or “lab123”
- Staff borrowing each other’s badges to scan into the system
- Passwords on sticky notes next to laboratory workstations
- Leaving computer workstations unattended in areas others can access
Regular, Off-Site Backups
Just as it’s wise to hit “save” often on an important project on your computer, regular backups of your laboratory’s data can ensure you don’t lose everything if disaster strikes.
A ransomware attack can hold your system or data hostage and make normal operations impossible. While ransomware targets are primarily larger organizations, all medical facilities should have a plan for continuity of operations if the computer systems are inaccessible for an extended period or if data is destroyed in an accident or disaster.
Proactive Electronic Health Data Security
It is best to be proactive about electronic health data security. Conduct an initial audit of your current systems and policies, and look for possible areas of concern. Involve as many staff members as possible in your audit, as their different perspectives may lead to important insights. Document any problems or areas for improvement, and implement solutions that will tighten up your security. Consider including a security checkup as part of your laboratory’s usual quality assessment activities, so that you are regularly revisiting data security and keeping your patient information secure.
Many resources are available online for learning more about HIPAA, electronic health data security, and a laboratory’s role in keeping patient data confidential and secure from hackers and data breaches.
ABOUT THE AUTHOR
Jennifer MacCormack is COLA’s technical writer, developing webinars, technical bulletins, and educational materials, as well as articles for external publication. Prior to joining COLA as a technical advisor, she had more than 15 years of experience as a medical laboratory scientist, working in hospital core laboratories and transfusion services in both the U.S and Canada. She also worked in development and manufacturing of blood typing antisera. Her work has been featured in several industry publications and science communication blogs.
