3 EHR Security Lessons from Anthem’s Security Breach

Exclusive Article by Ronald Vatalaro at EMRIndustry.com

As the medical industry goes high-tech with the implementation of electronic health records (EHR), credit card companies are not the only targets catching the eye of cybercriminals.

A massive security breach made public in February at Anthem, the nation’s second largest health insurer, sheds light on the importance of security and vigilance as healthcare providers and others bring sensitive patient information into the world of e-healthcare.

About the Anthem Breach

The breach at Anthem, the medical insurer of one in nine Americans, occurred on Dec. 10, 2014. The compromise went undetected until Jan. 27, 2015, when a database administrator became aware of someone using his credentials to perform a suspicious query.

Just two days later, Anthem reported the findings of its internal investigation to federal authorities and the breach was made public on Feb. 4.

Anthem’s breach makes it very clear that vigilance is necessary as EHRs are implemented in practices and facilities across the country.

Safe data storage with networks and security processes designed to protect patient information that includes account numbers, names, addresses, Social Security numbers and more, must be created.

3 Key Takeaways

The highly publicized breach at Anthem teaches lessons all healthcare-related providers using EHRs can benefit from.

Three main takeaways from the cyberattack pinpoint the responsibilities providers and support agencies, such as insurance companies, have in safeguarding their patient and/or client information:

System Considerations

Selection of systems to handle the need for EHR must go beyond program features and bells and whistles. Organizations must seek out products that deliver security features consistent with their needs and the sensitivity of the information stored on patients’ behalf.

Sound EHRs offer the ability to limit access and provide screening controls so only authorized staff can access sensitive information.

In addition, user activity logging features provide audit trails that record all navigation in the system while features that require users to justify manual printing of information limit the potential for unauthorized screen printing and unauthorized downloading of information.

Seeking out and demanding informatics systems that offer these safeguards and more is fast becoming critical.

Recommendations for HIM Professionals

Health Information Management professionals find themselves in not just the role of organizing, collecting and managing patient data, but also making sure it is protected.

With that in mind, HIM professionals must ensure their EHRs offer the functionality necessary for the organization to meet regulatory and operational requirements while safeguarding patient information.

Recommendations for doing so include:

• Identifying the location of information in the organization to verify state-specific guidelines
• Identifying functions in the system that create risk and working to limit or restrict their use
• Identifying security features that deliver higher levels of protection and implementing their use to safeguard sensitive information
• When choosing an EHR system, it falls on HIM professionals to systematically and independently evaluate the system without relying on vendor information to gauge system functionality
• Creating partnerships with IT counterparts to ensure the best functionality and security on a day-to-day basis

Security Features to Consider

Making sure EHRs deliver the necessary level of security to avoid breaches such as Anthem’s requires inclusion of a number of security features in the system itself.

These distinct features can make a difference in providing appropriate levels of protection:

• Role-based security that restricts access to information based on pre-established categories of patients, encounters and documents based on specific job requirements of the user
• VIP status indicators that enable restriction of identified patients and encounters to only those with VIP permissions
• Ability to create an alias to mask patient identity
• Ability to restrict physician access to only those patients the doctor serves as the physician of record for
• Blocking abilities for specific progress notes or lab results
• Ability to track and mask sensitive entries for release of information

Where to Turn for More Assistance

HIM professionals and others interested in learning more about how to safeguard sensitive patient data will find the federal government provides a clearinghouse of information on privacy and security via HealthIT.gov.

This website provides step-by-step plans for ensuring patient privacy and security, offers advice on how to integrate privacy and security into a medical practice and discusses privacy and security in regard to meaningful use, among other crucial topics.

As EHRs take the practice of medicine further into the high-tech world, cybercriminals are taking note. Safeguarding sensitive information is critical for protecting patients and their identities.

As the Anthem breach demonstrates, this brave new world is giving rise to potential pitfalls that HIM professionals must serve as sentinels against.

Ron Vatalaro works at Bisk Education with the USF Health online and writes about health informatics. Ron holds an advanced degree in Business Administration with a concentration in technology.

Take the USF Health Online 2015 Health IT Industry Survey .