How to Build a Secure Foundation    for Electronic Health Records    An Interview with Healthcare IT Expert Mark ReinHealt...
Q   None at all?                                                                    Q         Health care providers are fa...
Upcoming SlideShare
Loading in …5

How To Build A Secure Foundation For Electronic Health Records Cm101244


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

How To Build A Secure Foundation For Electronic Health Records Cm101244

  1. 1. How to Build a Secure Foundation for Electronic Health Records An Interview with Healthcare IT Expert Mark ReinHealthcare providers have been dealing with the Health is going to be moved to electronic form. WithInformation Privacy and Accountability Act (HIPAA) for EHRs, your systems have to be available 24/7, somore than a decade. Now, new requirements designed you have to have a higher-performing network,to protect electronic health records (EHRs), including the much more diligent security methodologies andHIPAA Security Rule and HITECH Act, are adding another technology and an enhanced ability to performset of challenges. As an IT executive with extensive backup and recovery. You also need a businessexperience implementing new technologies and processes continuity plan to ensure that your practice canfor healthcare organizations, Mark Rein has seen the stay up and running and maintain access to patientchallenges from the inside. In this interview he provides records even if something like a power outagesome important pointers for keeping records secure. occurs.Q Most healthcare providers are focused on taking care of patients, not technology or Q What is the biggest risk? data security—where do they begin? A Wireless networks are a frequent source ofA vulnerability. Someone from the outside might One of the important early steps is to establish be trolling for information. Another problem, your policies and procedures for voice and data unfortunately, is that someone on the inside could services. You need to know who has remote steal the information. Credit card information can access to patient data and how you can securely be stolen and sold on the Internet, and someone grant them that access. Service providers can help who taps into patient records can take Social with this, because you want to make sure you have Security numbers and dates of birth, and sell them multiple inroads via the Internet to your facility. or use them to apply for credit cards and loans.Q What particular issues are there for practices that are using or moving toward electronic health records? Q So where should a doctor’s office or lab start when it comes to protecting their data?A A Well, here’s the scary thing: Many of them haven’t Providers need to have their network environment started at all. If we entered any medical office prepped well before they ever move to EHRs. A building right now, I guarantee that I could break lot of changes need to take place, beginning with into 20% of their wireless networks because they the fact that you can’t have an inexpensive, non- have no wireless network security. redundant network if all your patient information ©2011 CenturyLink, Inc. All Rights Reserved. Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. CM101244 07/11
  2. 2. Q None at all? Q Health care providers are facing new, more stringent regulations related to data security.A None. Small offices and laboratories have to What is the best way for them to ensure recognize that spending money to secure their continued compliance? networks is the cost of doing business. It’s something that has to be done, like buying a desk and buying a chair and paying the electric bill. If A Initially, they are going to need to hire someone to help them set up and configure their network. Today, data security and compliance are simply you don’t spend money upfront to protect your too complicated for small and midsize practices to networks, you can become liable for the loss of go it alone. It’s not something you can learn from patient data. a book or trust to a non-professional. A number of managed service providers can set up networksQ It’s tempting for smaller practices to avoid and ensure compliance with security regulations, those expenses, but you’re saying it’s a risk which allows healthcare providers to focus on the they can’t afford to take. needs of their patients and their practice.A Exactly. And that’s especially true now, as we’re moving to electronic health records and other systems that automate transactions and enable Q What should healthcare providers look for in a vendor if they want to hire a managed health facilities to share information. Just one hole security service or bring in consulting in your network could give someone illegal access support? A to private patient data. They need to look at which compliance arm they’re under, whether it’s HIPAA, Sarbanes-Oxley orQ Some practices are now using portable PCI, and then find an organization that specializes devices like tablets and smart phones. What in helping them meet their specific compliance security precautions do they need for those regulations. I would start with an overall security portable devices? assessment that looks at your current architecture. You’ll probably catch 80% of HIPAA-relatedA Anytime you have a device with access to information, you have to make sure that it is password protected. That’s usually the first infractions through that analysis. problem. Doctors take the devices with them from Mark Rein, Vice President of office to office or hospital to hospital, and they Information Technology, ACDI/VOCA often keep the passwords inside the device or With nearly two decades working in physically taped to the device. The first step is you information technology, including seven have to make sure the passwords are secure. A years in hospitals, Mark Rein brings unique more sophisticated method of authentication may insights to the issues that are important be called for as well, in which case they could look to healthcare providers. His expertise spans voice and at using smart-card technology. A smart card is like data voice networks, security, call centers and disaster an ATM card for a computer or portable device, recovery/business continuity. In his current role as Vice which can be inserted or put in proximity to your President of Information Technology for ACDI/VOCA, a device to authenticate the user and provide secure private non-profit organization, Mark leads the strategy to access. Another option is biometric technology, provide IT and telecommunications support for 200 offices which relies on a personal characteristic, such as a in third world countries worldwide. thumbprint, to verify the user’s identity. ©2011 CenturyLink, Inc. All Rights Reserved.Not to be distributed or reproduced by anyone other than CenturyLink entities and CenturyLink Channel Alliance members. CM101244 07/11