Essential Security

Discussions about implementing the electronic health record (EHR) have found a prominent place in clinical conversations, and are edging more and more into clinical/biomedical engineering conversations. Some biomed departments have already been hands on with the EHR and have played a part in or seen systems go live, while other facilities are just beginning to circle the topic. No matter where your department falls in this timeline, your knowledge of the process and the various stages of implementation represent a crucial part of safeguarding the critical information contained within these records.

A significant objective of EHRs is to make health care safer, but with increased device interoperability, and as electronic patient data travels a path that has become increasingly available to more people in more places through the advances in mobile technology, privacy and security risks still loom large. Sometimes, visually experiencing a process, such as the journey this information takes, can create a better understanding of where weaknesses lie.

As part of the Integrating the Healthcare Enterprise (IHE) International, members of the Patient Care Devices (PCD) domain—an organization that develops standards-based interoperable communication profiles between medical devices and between medical devices and medical record systems—gave HIMSS attendees a rare opportunity to see medical devices and systems and electronic medical records (EMRs) demonstrate interoperable communications at HIMSS12 this February in Las Vegas.

The HIMSS interoperability showcase, along with a smaller version of it held during AAMI’s annual conference, are actually the only opportunities in the US where you can observe this and also discuss the benefits of interoperable, standards-based communications in depth with developers.

Those of you who attended either HIMSS or the last AAMI conference saw the benefits of the process, which are well documented, but what about the essential security issues? How are they addressed? Private information finds protection through the HIPAA Privacy Rule, which protects the privacy of this individually identifiable health information. In addition, the HIPAA Security Rule sets national standards for the security of electronic protected health information, and the Patient Safety Rule protects identifiable information being used to analyze patient safety events and improve patient safety—all of which are enforced by the Office for Civil Rights through the US Department of Health & Human Services. Even with enforceable rules, much of this relies on individuals acting responsibly, such as making sure mobile devices with sensitive information are not left lying around in places where theft can occur.

In 24×7‘s February 2012 cover article, “Privacy Considerations for the Medical Device Ecosystem,” authors Axel Wirth, MSc, CPHIMS, national health care solutions architect at Symantec Corp, Mountain View, Calif, and Elliot Sloane, PhD, CCE, FHIMSS, founder of the Center for Healthcare Information Research and Policy, stated: “We need to recognize that security and privacy are closely related and can never be truly separated—you cannot have privacy without proper security.” They went on to illustrate that privacy is patient focused while security is device focused.

Hacking has become big business and with the proliferation of mobile devices, everyone in the health care environment must be vigilant about security. I’d like to hear how your department and facility are handling EHR projects as well as addressing growing security concerns. You can blog about it with us at 24×7mag.com/blog.

Julie Kirst