If you need a few reasons to adapt to the latest security advancements, just look at the calendar for September and circle the “23”. That’s compliance day for the HIPAA Omnibus Rule, which modifies the privacy, security and enforcement rules. There are 659 more reasons – one for every large patient-information breach – on the Office for Civil Rights (OCR) Breach Notification Tool as of late August.
Security today, naturally, goes beyond the traditional “shred the paper” techniques and two of the biggest issues are related to EHRs and mobile devices. HealthITSecurity.com caught up with a security officer whose organization is paying close attention to those two aspects of the securing protected health information (PHI) game. Nancy Davis, MS, RHIA, CHPS, system director of privacy and security for Ministry Health Care in Milwaukee, offered some details about some of the latest advancements her organization has made and how it ensures security.
EHR access auditing
While the jury is still out on a final rule on accounting of disclosures and proposed EHR access reports, looking into auditing in EHRs is a must for organizations, Davis said. “Face it by now most organizations have the EHRs but are lagging in the auditing area either due to the constraints of the EHR application and/or the need to finance external auditing applications,” Davis maintained.
Ministry Health Care handles EHR access auditing through a combination of internal and external auditing applications. What’s a good first step if an organization is implementing this type of auditing? Have some type of tool – you have to have this.
“It doesn’t mean you have to purchase one, but there should be some way of verifying access,” Davis says. “Most applications have this; they just don’t function as well as external products.
Next, ensure your organization stays on top of the auditing when you choose to go down that route. “Take care not to create audit reports and let them stack up without reviewing,” Davis says. “There should be a policy and auditing plan in place.”
Without a solid auditing plan, organizations could have no way of knowing whether there was unauthorized access to a patient’s PHI. “You would not be able to defend an allegation of breach,” Davis says.
Mobile-device security
Davis’ organization uses an application she said has been great for mobile devices and addressing security. The end result is no information is retained on the device used. Davis uses this on her iPad when traveling, loves it and uses it once or twice a week based on travel and only for e-mail, which may include very limited PHI. “I feel secure when working in this application,” Davis says.
End users must first apply internally to be approved for the device. Once it is approved, they download the application to their portable devices and then authenticate it through a unique user log-in and complex password which is subject to change every six months. “It also times out automatically if not used,” she said. “We can access our e-mail.”
Mobile-device use is limited to providers, exempt staff, and non-exempt staff with leadership approval. When selecting security applications for your mobile devices, organizations need to identify the rogue programs out there. “They may not be sanctioned,” Davis said, “and may not be secure.” Source