IT Security and Record Management in Healthcare
The Healthcare IT Guy, March 13, 2008
We’re ecstatic to see an article of this sort. Here, the guest writer, Dr. Zachary Peterson, senior security analyst at Independent Security Evaluators, discusses benefits associated with electronic health records (EHRs), but also takes the time to recognize the trouble spots. Although EHRs can save time and improve quality of care, there are also risks involved . As Peterson points out, records can maliciously be tampered with, crating all sorts of trouble for both patients and healthcare providers.
Peterson’s article highlights three areas electronic records must meet for compliance with the well known Health Insurance Portability and Accountability Act (HIPAA):
1. “Available means that all records must be accessible in real-time — accessing tape archives from a distant warehouse is unacceptable. This may require an organization to manage their own on-site storage system, and furthermore, retain a staff who knows how to manage it.
2. Private and confidential means data is accessed with fine-grain controls and that data are protected from unauthorized disclosure and use — both in transit between provides and at rest on an entity’s system. Most existing compliance systems achieve this by providing only a policy-based interface, but can make no guarantees should data become lost or stolen. Systems must provide privacy and confidentiality through encrypted storage and data transmission. By correctly using encryption, systems may meet both the explicit encryption requirement of the HIPAA Security Rule and the access control requirements of the HIPAA Privacy Rule. Further, encryption can be used to permanently delete data, for example, when a patient requests a redaction under the HIPAA Privacy Rule.
3. Lastly, systems must also employ authentication, meaning data are accurate and modifications are impossible to dispute. The HIPAA Security Rule requires a verification of the “accuracy” and “integrity” of electronic records. While encryption provides privacy from unauthorized intrusion and disclosure, it alone cannot guarantee the accuracy or integrity of the data. Without authentication, there is no way to verify that the result of a decryption is the same as original, unencrypted data. Authentication can also provide a way to bind an individual to their data modifications, making repudiation impossible.”