EHR Security is a Top Priority

Dr. Deborah Lafky | July 19, 2010

With the passage of the HITECH Act, Congress made health IT security a top priority. ONC is committed to making electronic health information as secure as technically and humanly feasible.

That’s why ONC on April 1, 2010, launched an 18-month, multi-million dollar effort to improve the state of security and cybersecurity across the health IT spectrum. Key initiatives include:

  • Increasing health IT security by systematically assessing risk and providing tools and guidance to minimize it, including product configuration manuals and checklists to help assure secure health IT installations;
  • Educating the health IT community about security awareness with training, video, literature, and other materials;
  • Equipping the health IT workforce with the knowledge they need to manage health IT securely; and
  • Creating support functions such as back-up, recovery, and incident response plans to help when security emergencies strike.

Our ultimate goal is to protect patient information and create confidence in health IT’s security. These initiatives, and others, will help us do just that.

ONC recognizes that breaches are a serious issue. Despite stronger laws regarding breach notification, we must be vigilant and ensure they are reported. What may be surprising are the statistics. For example, we know that in the past 5 years, 80 percent of reported lost records were the result of hard drives, laptops, and other storage devices that disappeared. Interestingly, less than 10 percent of health care information breaches resulted from hacking or Internet crime.

So what does this mean in terms of security? It shows that simply preventing the theft or loss of data storage devices would have a huge impact on the security of our electronic health records. Fortunately, this doesn’t require a major investment in equipment or training. Instead, it requires some clear, common sense policies, such as:

  • Securing all computers that contain patient data;
  • Protecting laptops with a combination of physical, technology, and policy-related methods;
  • Locking drive bays to prevent hard drives from being removed;
  • Placing servers in secure areas, strictly limiting access, and maintaining entry/exit logs; and
  • Establishing security policies that require the use of a high-grade encryption algorithm.

As we roll out these ONC initiatives, I hope some of the readers of this blog will share their own best practices: What security measures have you taken or observed? How do you ensure the security of EHRs in your daily work? Share with us what has worked for you – and what has not. We can all learn from experience.

Watch the ONC website for updates on our available security materials and to see our progress.