My EMR protects my ePHI, right? WRONG!

by | Aug 10, 2015 | Compliance & Security, Compliance Technology

False Faith in your EMR/EHR

It seems most doctors, practice managers, healthcare compliance officers and healthcare security officers put way too much faith in their EMR/EHR.  They think the EMR encrypts the data and therefore it’s secure and no more worries.  That’s a BIG mistake for the following reasons.

  1. Many EMRs do NOT encrypt the data in transit, on the local disk (cache) and/or do NOT auto timeout users. Leaving the ePHI available for easy cyber theft.
  2. Access controls are only as good as the policies and procedures one uses to keep their systems secure. MOST companies and people don’t have policies or procedures for establishing or maintaining reasonable access controls.  Lost or stolen credentials is going to happen. Ask Anthem, 80 million records stolen from a employee’s stolen credentials.
  3. Employee training is paramount. It should be the top of the priority list for security.  Unfortunately, most healthcare practices are still using “privacy” focused HIPAA training.  This is a HUGE mistake.  HIPAA is now about SECURITY, not just privacy.  In fact the U.S. Government (HSS) says security is about 80% of the issue.
  4. The best built and most heavily defended castle will fall. Sooner are later someone will breach the wall or walk through the back tunnel entrance that someone left open or opened maliciously.  You need to detect the intrusion soon and stop them from stealing your valuable data and costing you huge remediation expenses and HIPAA fines.

What should every healthcare provider do about cyber-security?

Just a few suggestions to get you started.

  1. Implement a cyber-security detection solution that works immediately. Tripwire has proven to fail; Target was using Tripwire.  We like SignaCert, which greatly reduces the Mean Time To Detection (MTTD) so much we became their Healthcare VAR.
  2. Conduct annual risk assessments that include a security analysis. Make sure the cyber security analysis is not a sampling but uses a tool that checks well over 100 settings on a computer.
  3. Limit user’s access based on their roles.
  4. Require multi-factor authentication.
  5. Make sure you have policies and procedures in place to maintain a strong cyber security defense.
    • The anti-virus software is a current version with automatic updates, for the software and definitions, working on every computer.
    • Firewalls are configured correctly and updated regularly.
    • Web application security solutions in place where needed.
    • OS and Application vulnerabilities are checked and updates made regularly.
    • An automated HIPAA compliance test tool is in place on all computers, runs regularly and is checked religiously.
    • A trusted file & system integrity monitoring tool is in place on all computers, runs regularly and is checked religiously.
    • Then there’s the physical security of electronic data and devices.  Review physical access to and movement of physical devices storing or transmitting ePHI. (E.g. Don’t leave backup hard drives laying on the desk next to the back door)

To wrap-up, there is no cheap short-cut to prevent a cyber-breach and there is no known cyber defense that can prevent a breach.  So, take action, create a security plan and make sure you reduce your MTTD of a cyber-breach with a trusted cyber-breach detection tool.

Contact us if you have questions or want to learn more about a trusted solution.