EHR Security is a Top Priority

With the passage of the HITECH Act, Congress made health IT security a top priority. ONC is committed to making electronic health information as secure as technically and humanly feasible.

That’s why ONC on April 1, 2010, launched an 18-month, multi-million dollar effort to improve the state of security and cybersecurity across the health IT spectrum. Key initiatives include:

  • Increasing health IT security by systematically assessing risk and providing tools and guidance to minimize it, including product configuration manuals and checklists to help assure secure health IT installations;
  • Educating the health IT community about security awareness with training, video, literature, and other materials;
  • Equipping the health IT workforce with the knowledge they need to manage health IT securely; and
  • Creating support functions such as back-up, recovery, and incident response plans to help when security emergencies strike.

Our ultimate goal is to protect patient information and create confidence in health IT’s security. These initiatives, and others, will help us do just that.

ONC recognizes that breaches are a serious issue. Despite stronger laws regarding breach notification, we must be vigilant and ensure they are reported. What may be surprising are the statistics. For example, we know that in the past 5 years, 80 percent of reported lost records were the result of hard drives, laptops, and other storage devices that disappeared. Interestingly, less than 10 percent of health care information breaches resulted from hacking or Internet crime.

So what does this mean in terms of security? It shows that simply preventing the theft or loss of data storage devices would have a huge impact on the security of our electronic health records. Fortunately, this doesn’t require a major investment in equipment or training. Instead, it requires some clear, common sense policies, such as:

  • Securing all computers that contain patient data;
  • Protecting laptops with a combination of physical, technology, and policy-related methods;
  • Locking drive bays to prevent hard drives from being removed;
  • Placing servers in secure areas, strictly limiting access, and maintaining entry/exit logs; and
  • Establishing security policies that require the use of a high-grade encryption algorithm.

As we roll out these ONC initiatives, I hope some of the readers of this blog will share their own best practices: What security measures have you taken or observed? How do you ensure the security of EHRs in your daily work? Share with us what has worked for you – and what has not. We can all learn from experience.

Watch the ONC website for updates on our available security materials and to see our progress.


  1. ben says:

    how about access control list and principle of least privilege?

  2. Adrian says:

    Yes, that’s necessary to improve health IT security. That is strange that such important area still has not high-end solutions for keeping data secure.

  3. Rob says:

    I am not sure how criminals would use health care information to their advantage, although I am sure they would find a way, but I agree there needs to be excellent computer systems security similar to the banking industry

  4. Bill says:

    I agree with previous comments. In order for users(physicians) to user EMR systems, they have to be engage in the development and provide input. I had my family doctor express concern about whether a hacker would intercept the data ( EHR) as it is share with other doctors.

    Security methods and guides are only as good as the end-users following the security policies and procedures documented. The biggest chanllenge to protecting Health Information Systems will be user training, user training , user training on awareness and consequences to weakening the security methods established to protect information.

    Another improvement in security would be better monitoring systems strategically placed on the network.


  5. Chandresh Shah says:

    It is very important to educate providers and end users to be vigilant about security issues. For example, leaving a computer logged in while walking away from the workstation is bad practice that leaves vulnerabilities.

  6. Joseph Miller says:

    An obvious answer to the EMR/EHR interoperate problem follows:
    • an Information Transfer Program [ITP] that simulates a printer; so that printing EMR/EHR data can put a copy in the ITP
    • EMR/EHR system sellers will provide ‘apps’ that converts data in the ITP into a standard format and from the standard back into their format
    • these ‘apps’ will be a necessary sales feature for them
    • individually identifiable health information is transferred in accord with HIPAA rules
    • data, in the standard format, is transferred to the ITP in the intended recipients computer
    • the ‘app’ in intended recipients’ ITP changes this information into their system’s format

    The real problem is transferring individually identifiable health information in accord with HIPAA rules.

    I have developed a concept for such a network.
    I would appreciate your evaluation of the concept.

Leave a ReplyComment Policy