Most viewers of EHR Scope are physicians and medical office managers, many of whom are becoming educated about the necessity of EHR implementation, and may not be completely up to date with some of the technical progress of the National Health Information Network (NHIN) since HITECH. While the meaningful use final rules are shaping elements of incentive qualifications and penalty enforcement; when all is said and done, HIT work roles and workflows will be significantly changed as well. Defined roles and qualifications for those required to handle personal health information (PHI) will be formed by the security requirements embedded in the National Health Information Network. While these issues are more technical in nature, perhaps there are some of you out there with the ability to contribute to the public discussion while the ONC is listening. Continue reading: ONC Committee Work-groups and Tiger Team Want Your Input
Wednesday October 13th, 2010-Recently we had a chance to catch up with Drummond Group’s President, Beth Morrow, to discuss the current status of EHR certification from the perspective of the approved certification bodies. Thanks to Beth, EHR Scope has gained some insight to share regarding the ONC-ATCB certification testing process, as well as the struggles EHR software companies are currently enduring.
“Our biggest challenge is when folks are registering, and want to get in as soon as possible… then the date comes, and they aren’t ready. The details of running these test scripts are substantial… It is very intensive work and not to be underestimated.”
September 20, 2010, San Luis Obispo, California. InfoGard Laboratories, the nation’s first accredited IT security testing laboratory, is approved by the Health and Human Services, Office of the National Coordinator for Health IT as an ONC-Authorized Testing and Certification Body (ONC-ATCB) for the certification of Complete EHRs and EHR Modules for both ambulatory and inpatient settings. Eligible professionals and hospitals may collect incentive payments through meaningful use of EHR technology capable of meeting the criteria to support meaningful use under the American Recovery and Reinvestment Act (ARRA). Continue reading: InfoGard Laboratories Approved to Certify EHR
Electronic medical records are being hailed as a tool to aggregate patient data and advance research, but questions remain about how the vast sharing and compiling of this critical medical/genetic information will remain de-identified to protect patients’ privacy and security.
Researchers at Vanderbilt University have found a unique algorithm to make electronic medical record information anonymous for genome-wide association studies (GWAS), according to a paper that recently appeared in the Proceedings of the National Academy of Sciences.
While at HIMSS10, it was clear that the Health IT movement is progressing. Now that many major hospital systems and larger group physician practices have adopted EHR systems, how is their digitized health information going to move through the larger healthcare system? The HIMSS10 Interoperability Showcase focused on answering this very question. Vendors and other companies are now looking into creating the health information highway, so health information can leave silos and be seamlessly transported between healthcare entities and delivery systems.
However, with this advancement in Health IT interoperability and exchange, more questions about safety and security of Health IT arise. Many companies have emerged to offer services that will securely and safely share and exchange digitized health data.
One of these companies is FireHost, and I had the opportunity to speak with FireHost’s CEO, Chris Drake. Firehost is a secure web hosting company that provides affordable hosting solutions with enterprise level security to companies of all sizes. FireHost is heavily involved in the Health IT, as the security and privacy of digitized health information is an issue at the forefront of the national push for an interoperable health IT infrastructure. Chris spoke about some of the critical issues facing Health IT security with the growing popularity of web-based EHR systems.
HHS is focusing its efforts on developing standards for handling security breaches of electronic health information. The Adoption/Certification Workgroup of the HHS Health Information Technology Policy Committee advisory workgroup has developed a draft proposal that outlines best practices for electronic reporting of patient safety hazards and near misses.
This draft proposal encourages physicians and hospitals to adopt an electronic reporting system for health information security breaches. It also encourages patients to be involved and to report errors, omissions and other mistakes in their health records. The recommendations involve EHR vendors as well, suggesting that they enhance EHR functionality so that “feedback” buttons can be used to quickly report data problems when using the EHR systems.
These best practices are expected to be included in the second phase of “meaningful use” of EHR systems, starting in the fiscal year 2013. The workgroup stated that the goal for incorporating these standards is to establish a “patient-centered” approach to health IT safety. This patient-centered approach would include confidential reporting, liability protections, whistle-blower protections, patients engaged in the system and transparency.
Click here for the original article and a link to the draft proposal.
As more and more physicians and hospitals transition into the digital age, a vast amount of personal health data is ‘bait’ in the internet phishing world. While EHR system security is often a top priority, there is little secure hosting and encrypting of health information can do to stop email phishing scams.
It’s as simple as this:
- A faculty physician at a large university health system receives an e-mail appearing to be from the hospital’s information technology staff.
- The e-mail requests the doctor’s login information in order to perform routine security upgrades to the system.
- This seems like a legitimate request from a reliable source; the physician replys back providing his/her login and password.
St. Jude Medical, Inc. Achieves High Honor for Health Information Technology Security and InteroperabilityJanuary 19, 2010 | No Comments on St. Jude Medical, Inc. Achieves High Honor for Health Information Technology Security and Interoperability
St. Jude Medical, Inc. has recently received merit for achieving high standards for health information security with its vast EHR and Health Information Technology systems. It has successfully completed its second interoperability testing process for the company’s Merlin.net(TM) Patient Care Network (PCN), an Internet-based repository of patient and implantable device data. The company also announced that the Merlin.net PCN is the first medical device network to be awarded ISO 27001 certification, a strict worldwide information security standard.
There are many new PHR products that run on USB keys, flash drives, mobile phone devices, PDA’s and more being introduced to the market every day. For a PHR application to be truely beneficial it must be platform independent, have a zero footprint, be accessible , with a permissions structure, be available to the provider, first responder, patient and most important provide encryption or at a minimum a password and ID functionality to protect the contents of the device.
The first step towards compliance with the HIPAA Security Rule is to perform a risk assessment on your system. You aren’t required to do this yourself- you may choose to hire a consultant- but you will be expected to understand the assessment findings. So what are ‘risks’, and how are they measured? Let’s start by defining some terms as they appear in the Rule.
Section 164.308(a)(1) requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.” In this statement:
“EPHI” stands for Electronic Personal Health Information. This includes all medical information related to patients in your care.
“Vulnerabilities” are weaknesses in the way your system handles information. This can mean anything from inadequate physical security at your office (such as locks and alarms), to employing out-of-date software, to failing to employ the security features included in your software (not creating passwords, etc.).
Threats are forces that will exploit vulnerabilities. This can mean people, such as disgruntled employees, burglars and hackers, or it can mean things like fires, floods, earthquakes and tornadoes.
“Risk”, therefore, is a calculation of two things: first, the probability that a given threat will exploit vulnerabilities in your system, and second, an estimate of how much damage would be caused by that exploitation. Risk is hard to assess; the factors involved are often subjective. Just because an event has a low probability level doesn’t mean it can’t or won’t happen…and highly probable events with risk assigned might not impact your system security at all.
For instance: a viral infection on a computer in your system is highly probable, but the likelihood that the infection would lead to a system failure or security breach is small…therefore it would be considered a low-risk scenario. If a burglar, however, were to break into your office and steal all of your equipment, there is a 100% chance that your data will become unavailable to you and a good chance it may end up in malicious hands. Even if the crime rate is low in your neighborhood, this would be considered a high-risk scenario.
No matter what your assessment finds, when you address the vulnerabilities of your system and (where possible) eliminate threats, you reduce your overall risk levels- this is the best way to ensure you’ll be in compliance with the Rule.
Join us next week for some tips on how to conduct your risk analysis.