The following is a guest post by Jim Fulton who is a Vice President at DigitalPersona, Inc.
The Health Information Technology for Economic and Clinical Health (HITECH) Act and Health Insurance Portability and Accountability Act (HIPAA) are driving healthcare organizations to ask two major questions. First, how can our organization obtain the maximum financial benefit that’s available from U.S. Federal government programs for transitioning to electronic health records (EHRs)? Second, how can I reduce the risk to my organization of failing to comply with increasingly strict information security regulations, without significantly impacting the productivity of employees?
HITECH requires healthcare organizations to implement secure electronic health record systems, which can be expensive to deploy and cumbersome to use, if not done properly. Those that implement EHRs and demonstrate Meaningful Use can benefit from funding from the Center for Medicare and Medicaid Services (CMS). CMS will pay HITECH incentives through either Medicare or Medicaid to offset the cost of EHR adoption.
Not only can a proper transition to EHRs provide government funding, there are also significant cost reduction and operational benefits that can be experienced immediately. Patients’ records can be accessed more easily, allowing physicians to quickly reference medical information for faster and better response when providing care. In addition, if properly secured, EHRs can make it simple to keep accurate records of who has access to patient information, and can track when records are accessed and by whom.
However, on the path to implementing EHRs, healthcare organizations immediately come up against the security requirements of HIPAA which require safeguards for Electronic Protected Health Information (ePHI). There are three types of security safeguards required for compliance:
- Administrative Safeguards – policies and procedures to clearly show how the organization will comply with the act
- Physical Safeguards – policies to control physical access to defend against inappropriate access to protected data
- Technical Safeguards – policies to control access to computer systems in order to protect ePHI from being intercepted when transmitted electronically over open networks
More often than not, this requires healthcare organizations to re-evaluate their user authentication infrastructure. There are two primary authentication methods healthcare organizations use today: passwords and token-based multi-factor authentication. Passwords are the least expensive method to deploy, but also the least secure. Token-based multi-factor authentication requires a user to combine something they know, like a password or PIN, with something they have, such as a smart card or token. This makes it more difficult for criminals to access data. However, the use of smart cards and tokens requires additional IT infrastructure and provisioning processes, which can be expensive to implement and maintain. Both of these methods share a common downfall: they impact the productivity of doctors, nurses and other healthcare staff.
An emerging answer to this user authentication challenge is the use of biometrics. Medical facilities, such as Jackson Hospital and Hawthorn Medical, use fingerprint biometrics to allow authorized employees quick access to patient data. Integrating fingerprint biometrics with the rollout of EHR systems allows organizations to streamline workflow processes by eliminating the need to consistently re-enter passwords or pull out a token when accessing electronic health records and applications throughout the facility. Including biometrics as part of the authentication system also helps medical facilities to comply with HIPAA’s Security safeguards. HIPAA 164.312(d) requires organizations to verify that a person seeking access to ePHI is the one claimed. Biometrics strengthens authentication to protect against employees sharing login credentials, and provides overall stronger access security of ePHI. Organizations can have greater confidence that only authorized employees have access to private patient information on all computer systems, including laptops. In addition, healthcare organizations are beginning to use biometrics with ePrescribing solutions to prevent unauthorized prescriptions.
As organizations continue to automate processes and take advantage of new technologies, stronger security becomes even more crucial. It is important for healthcare organizations to find data protection and access control solutions that provide the required security without hindering productivity.
