The Security of Healthcare Information Systems
The healthcare industry is rapidly embracing technological innovations that allow digitization and automation of physical and manual records and processes. This transition offers tremendous benefits to providers, companies, and patients in the form of cost savings and convenience, but does it have an unforeseen cost? Medical records contain some of the most sensitive information about a person, and questions about information security are critical, particularly since this data is increasingly stored and accessed online.
What Are the Risks?
Image via Flickr by NEC Corporation of America
Electronic Health Records, or EHRs, contain a tremendous amount of sensitive information that could compromise patients’ privacy and security if misused. An EHR is essentially a digital version of a patient’s chart, so next to basic information like a patient’s name and contact information, the record stores data about current and past diagnoses, treatments, test results, X-ray images, and other medical information.
By design, health care providers can share patient EHRs, simplifying communication and coordination of care. But without proper security protocols in place, this confidential information could be misused by insurance companies, employers, or any person or organization interested in exploiting the data for personal gain.
Key Technical Safeguards
Multiple areas of focus are the target for healthcare providers when addressing concerns about patient information security. The first is the system itself. Several ways exist for handling potential security vulnerabilities within a system that has protected health information (PHI):
- Control access to the system through unique and frequently updated login information, automatic log off after a period of inactivity, and identity verification.
- Put audits in place so logins and activity in the system can be monitored or reviewed.
- Protect information integrity, so that data cannot be altered without proper verification.
- Encrypt information so data cannot be accessed while being transmitted between authorized users or systems.
Best Practices for End Users
In addition to ensuring that security measures become incorporated into every system containing PHI, organizations are taking steps to educate end users about important security measures. The privacy and security rules in the federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandate these steps and require providers to take administrative precautions to assess and lower risk. Security standards and practices are also being incorporated into undergraduate and graduate business degree programs in Management Information Systems (MIS), so the next generation of health care professionals will join the workforce armed with this knowledge.
Providers should also take the necessary steps to control access to workstations, where PHI can be accessed, and to facilities where these workstations are present. Controls should regulate the removal, disposal, backup, reuse, storage, and transportation of relevant workstations and systems.
Every innovation in healthcare information systems brings potential risks as well as benefits to light. The convenience and efficiency that EHR technology offers must be balanced by an equal measure of attention to the security of the information these electronic records contain. As digital medical technology surges forward, industry observers, professionals, and patients are wise to keep asking questions and challenging assumptions in their efforts to protect patient privacy of health information.