More Related Content
More from Erik Ginalick (20)
How To Build A Secure Foundation For Electronic Health Records Cm101244
- 1. How to Build a Secure Foundation
for Electronic Health Records
An Interview with Healthcare IT Expert Mark Rein
Healthcare providers have been dealing with the Health is going to be moved to electronic form. With
Information Privacy and Accountability Act (HIPAA) for EHRs, your systems have to be available 24/7, so
more than a decade. Now, new requirements designed you have to have a higher-performing network,
to protect electronic health records (EHRs), including the much more diligent security methodologies and
HIPAA Security Rule and HITECH Act, are adding another technology and an enhanced ability to perform
set of challenges. As an IT executive with extensive backup and recovery. You also need a business
experience implementing new technologies and processes continuity plan to ensure that your practice can
for healthcare organizations, Mark Rein has seen the stay up and running and maintain access to patient
challenges from the inside. In this interview he provides records even if something like a power outage
some important pointers for keeping records secure. occurs.
Q Most healthcare providers are focused on
taking care of patients, not technology or Q What is the biggest risk?
data security—where do they begin?
A Wireless networks are a frequent source of
A
vulnerability. Someone from the outside might
One of the important early steps is to establish
be trolling for information. Another problem,
your policies and procedures for voice and data
unfortunately, is that someone on the inside could
services. You need to know who has remote
steal the information. Credit card information can
access to patient data and how you can securely
be stolen and sold on the Internet, and someone
grant them that access. Service providers can help
who taps into patient records can take Social
with this, because you want to make sure you have
Security numbers and dates of birth, and sell them
multiple inroads via the Internet to your facility.
or use them to apply for credit cards and loans.
Q What particular issues are there for practices
that are using or moving toward electronic
health records? Q So where should a doctor’s office or lab
start when it comes to protecting their data?
A A
Well, here’s the scary thing: Many of them haven’t
Providers need to have their network environment
started at all. If we entered any medical office
prepped well before they ever move to EHRs. A
building right now, I guarantee that I could break
lot of changes need to take place, beginning with
into 20% of their wireless networks because they
the fact that you can’t have an inexpensive, non-
have no wireless network security.
redundant network if all your patient information
©2011 CenturyLink, Inc. All Rights Reserved.
Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. CM101244 07/11
- 2. Q None at all?
Q Health care providers are facing new, more
stringent regulations related to data security.
A None. Small offices and laboratories have to What is the best way for them to ensure
recognize that spending money to secure their continued compliance?
networks is the cost of doing business. It’s
something that has to be done, like buying a desk
and buying a chair and paying the electric bill. If
A Initially, they are going to need to hire someone
to help them set up and configure their network.
Today, data security and compliance are simply
you don’t spend money upfront to protect your too complicated for small and midsize practices to
networks, you can become liable for the loss of go it alone. It’s not something you can learn from
patient data. a book or trust to a non-professional. A number of
managed service providers can set up networks
Q It’s tempting for smaller practices to avoid and ensure compliance with security regulations,
those expenses, but you’re saying it’s a risk which allows healthcare providers to focus on the
they can’t afford to take. needs of their patients and their practice.
A Exactly. And that’s especially true now, as we’re
moving to electronic health records and other
systems that automate transactions and enable Q What should healthcare providers look for
in a vendor if they want to hire a managed
health facilities to share information. Just one hole security service or bring in consulting
in your network could give someone illegal access support?
A
to private patient data. They need to look at which compliance arm they’re
under, whether it’s HIPAA, Sarbanes-Oxley or
Q Some practices are now using portable PCI, and then find an organization that specializes
devices like tablets and smart phones. What in helping them meet their specific compliance
security precautions do they need for those regulations. I would start with an overall security
portable devices? assessment that looks at your current architecture.
You’ll probably catch 80% of HIPAA-related
A Anytime you have a device with access to
information, you have to make sure that it is
password protected. That’s usually the first
infractions through that analysis.
problem. Doctors take the devices with them from Mark Rein, Vice President of
office to office or hospital to hospital, and they Information Technology, ACDI/VOCA
often keep the passwords inside the device or With nearly two decades working in
physically taped to the device. The first step is you information technology, including seven
have to make sure the passwords are secure. A years in hospitals, Mark Rein brings unique
more sophisticated method of authentication may insights to the issues that are important
be called for as well, in which case they could look to healthcare providers. His expertise spans voice and
at using smart-card technology. A smart card is like data voice networks, security, call centers and disaster
an ATM card for a computer or portable device, recovery/business continuity. In his current role as Vice
which can be inserted or put in proximity to your President of Information Technology for ACDI/VOCA, a
device to authenticate the user and provide secure private non-profit organization, Mark leads the strategy to
access. Another option is biometric technology, provide IT and telecommunications support for 200 offices
which relies on a personal characteristic, such as a in third world countries worldwide.
thumbprint, to verify the user’s identity.
©2011 CenturyLink, Inc. All Rights Reserved.
Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. CM101244 07/11