Data Access Versus Security: A Difficult Balancing Act
November 8, 2011 – Earlier this year, Janet Spangler got an object lesson in the tension between data access and security.
A new patient at Family Medical Associates of Raleigh (N.C.) toted his own laptop into the exam room, recalls Spangler, administrator at the five-physician group practice. When the physician arrived, the patient – a computer technician – turned his laptop around, revealing he had just gained access into the group's ostensibly secure wireless network, then admonishing the physician about the need to improve access controls.
"We have since modified our wireless system," Spangler says. "But the experience left us uneasy."
No sensitive information was exposed during the interlude, but the episode gives insight into why Family Medical Associates takes what Spangler describes as "a conservative approach" to data access. Not only did the group bolster its firewall against unwarranted outside intrusion, it put limits on what its own staff can see on the EHR, an ambulatory system from Greenway Medical Technologies that has been in place for five years. The practice even takes the extraordinary step of maintaining any employee medical records on paper-in a locked cabinet-and not on the EHR. "We can restrict access to our online charts, but you don't want records inappropriately accessed by other staff," she explains. "We are all for access if it results in better care. But we are quick to limit access if there's a risk of a security breach."
This balancing act between granting access to electronic health records while maintaining their proper security challenges provider organizations industry-wide. The whole point of the EHR is to facilitate access to critical data. Moreover, just about everybody in a provider organization needs access to some portion of the record to do their job-be it patient registration, order entry or discharge planning.
Clear-cut, executive-endorsed data access policies are the first step in finding the elusive balance. And any number of technologies can help the many providers struggling with the issue to bring the policies into reality. The data security arsenal includes tools for data encryption, identity management, and system auditing. Infrastructure set-ups with remote hosting help too, by keeping data from being stored on devices. These tools go a long way in helping providers operate both ethically and legally. Yet the formation of health information exchanges and the proliferation of personal devices represent even greater challenges to keeping health information protected.
"It exceeds risk to the company," Spangler says. "We're talking about patients' lives."