5 tips for strengthening EHR data security

By Brandon Tanner
08:09 AM

While electronic health records systems and databases have enabled the healthcare industry to modernize patient care and information collection, an unintended side effect is that these vulnerable systems have made also data more accessible to hackers.

And with the continuing stream of small and massive breaches, healthcare data security should be under greater scrutiny now than ever before to ensure that information is protected and breaches are infrequent.
By following a few simple guidelines, in fact, healthcare providers can enhance data security efforts.

1. Spearhead campaigns toward a culture of security. After the formation of the Consumer Financial Protection Bureau, executives in the financial industry realized the potential cost of ignoring data security issues. Once the financial industry understood the price of ignoring security regulations, protecting data became a major priority for high-ranking executives. In the healthcare realm, however, HIPAA does not conduct similar audits or enforce compliance on the same scale. To maintain a level of security similar to the financial industry, healthcare leaders need to spearhead campaigns to lead their organizations toward a culture more focused on data security.

2. Conduct risk-assessments of EHRs. One of the reasons why the healthcare industry has been vulnerable to data theft is due to the rapid development of EHRs. While electronic records are cost-effective and key to providing better service to patients, many times the security features built into these databases are lacking.

3. Practice comprehensive penetration testing on a regular basis. This can help determine how secure an institution’s database is or is not. These tests should test network security, since weak network security standards is one of the primary reasons hackers gain access to healthcare information. This testing should also examine firewall strength and EHR application security to identify weaknesses in network security, such as too many entry-points to the EHR, so healthcare professionals can proactively correct those issues before any breaches occur.

4. Adopt a strict data architecture model. By actively defining which healthcare professionals have access to particular data and limiting access to protected devices, healthcare organizations can make significant progress in protecting valuable patient data. Even within the healthcare organization, a data architecture model should clearly define which records can be sent to certain devices and place limits on the data that should be accessed by only a few professionals. Tracking the path of data and records throughout a healthcare organization is also essential to prevent any information from being corrupted or accessed by unauthorized individuals. Monitoring the path of data and any changes to records can also be instrumental in keeping better records of patient information, such as identifying at which point an incorrect change was made to an electronic chart.

5. Develop strategic plans to avoid and survive data breaches. Currently, healthcare organizations place a higher priority on keeping essential departments of the organization running during an incident, such as a power outage. While this is extremely important, having a detailed plan in place to promote data security should also be a top priority. This should involve assigning staff to oversee regular security tests and enforce the data architecture model. This plan should also note steps to take to overcome any security shortcomings and make any needed adjustments to the data architecture model.

And in the event of a breach: Following a detailed plan to avoid a data breach should be a healthcare provider’s first priority; however, in the event of a breach, leadership should have a strategic disaster recovery plan prepared to minimize the damage. Immediately following a breach, healthcare professionals should identify the information compromised, isolate the data and decide how to inform the patients impacted by the event. Altering the method to avoid future data breaches should be next priority, including thoroughly testing the EHR. 

With the right plan in place, a data breach can be entirely avoidable, but if an event occurs, it can be an opportunity to evaluate the security of a healthcare organization’s information.

Brandon Tanner is senior manager at College Station, Texas-based Rentsys Recovery Services.