Why implement an electronic health records (EHR)? If designed properly, an EHR system can produce many benefits for health care organizations. As more and more health care organizations push forward to aggressively implement EHR systems, security and privacy of patient information is not always given the attention it deserves. Although most organizations have carefully addressed privacy concerns for paper records, they struggle to maintain the same vigilance when it comes to electronic records. Government regulations like health insurance portability and accountability act (HIPAA) and other state laws require providers and payers to follow strict guidelines concerning the security of their health systems, yet security breaches continue to occur with minimal repercussions. Why is this happening, how can it be prevented, and why should organizations prioritize security as a fundamental building block to their EHR implementation strategies?


Health care organizations were required to be compliant with the HIPAA security rule as of April 2005. Both civil and or criminal penalties were promised for organizations that were found in violation of HIPAA. Little has been done in the way of enforcement, and the fallout has been minimal to date. With little threat of enforcement, many organizations were not diligent in their efforts to comply with the security rules required by state and federal laws. This has led to a number of security breaches in the health care industry. A quick search on the Internet will produce several sources that list various security breaches that have occurred across all areas of health care, including physicians practices. The majority of these breaches were the result of lost or stolen media and laptop computers containing patient information. The widespread movement of EHR implementations and the automation of electronic protected health information (ePHI) are pushing the need to implement a security framework that will deal with the intricacies associated with not only the rules imposed by government regulations, but also ensure patient privacy and security.


It is important to prioritize security for many reasons, but one area often not considered is cost. Cost-effective EHR system implementations are imperative, but implementing an EHR system without proper consideration of security controls can be more costly. In one recent example of a security breach, a doctor’s office was broken into and a hard drive containing personal information of hundreds of patients was stolen. After further investigation by law enforcement, it was determined that the hard drive was the only item taken by the thieves. It was clear that the perpetrators were targeting the hard drive as a means to steal the identities of the patients for fraudulent purposes. Identity theft is one of the fastest-growing crimes in the country, and health care providers are being targeted because medical records contain key patient information such as Social Security numbers and date of birth. There will be monetary costs associated with responding to an event such as this, but in the end, loss of reputation and patient confidence will be the greatest expense.


So, how can you prevent security and privacy breaches at your practice and at the same time meet state and federal regulatory compliance requirements? Regardless of the industry or associated regulations, a good security program begins by addressing the fundamentals of information security - maintaining the confidentiality, integrity and availability of all systems. Creating a best practices security environment will result in a HIPAA compliant environment. In fact, the HIPAA security rule states that covered entities must maintain reasonable and appropriate administrative, technical and physical safeguards to ensure the integrity and confidentiality of the health information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information. What does this mean? This means that there are administrative, technical and physical safeguards which need to be considered and put into place. Administrative safeguards address the security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency planning, evaluation and business associate contracts and other arrangements. Technical safeguards address access controls, audit controls, integrity, person or entity authentication and transmission security. Physical safeguards address facility access control, workstation use, workstation security and device and media controls.


The security program should be initiated, supported and directed by senior management. By taking a top-down approach, you can provide a solid foundation for security and emphasize how strategic security is to your organization. Organizations should perform a risk analysis of their environment. This will identify where vulnerabilities exist and the potential risk associated with them. It is important to note that if your organization will be using third-party vendors as part of your program, you should perform due diligence by auditing their security controls to ensure that they meet your requirements. By doing so, your organization will have a good idea of what is required to reduce the effects of threats and vulnerabilities to a reasonable level. This will also enable your organization to decide what administrative, technical and physical controls should be implemented to reduce the effects and probability of the identified threats to a reasonable level as well as determine the cost benefits of the associated controls.


Remember that availability of your systems is one of the three cornerstones of an effective security program, so it is critical to address business continuity and disaster recovery as part of this process. Make no mistake about it - all risk cannot be eliminated. Security is an ongoing iterative process that must be maintained. As technology changes, new threats appear every day, and your organization must have the process in place to address these threats. In the event of a security breach or disaster event, your organization should have a computer incident response team (CIRT) in place. This team should be able to analyze, respond to, execute escalation procedures and perform post-implementation follow-up activities in response to these events. Most organizations are reactive when it comes to dealing with an event. By instituting a proactive approach to your security design, your organization will be much better prepared to deal with potential threats to your systems, and, in many cases, eliminate them before they are acted upon.


One area of security that is both proactive and highly effective is a comprehensive security awareness training program. An effective training program in conjunction with proper sponsorship from senior management creates a culture of security that can lead to a self-policing workforce.


Security should be considered during every step of the process, from inception to steady state. A good start would be to follow these industry best practices when implementing your EHR system.


  • Obtain sponsorship from senior management. This is critical to the success of the overall security program. Shows management’s commitment to security.
  • Perform a risk analysis of your environment. Identify and quantify existing and potential risks to your environment.
  • Audit your vendors. This will ensure that your vendor’s security controls meet your requirements.
  • Implement administrative, technical and physical controls. These three categories define the objectives of your security program implementation.
  • Provide for business continuity and disaster recovery. This allows you to keep your business running and provides a plan for recovery in the event of a disaster.
  • Develop an incident response program. This prepares your organization to be ready in the case of a security breach.
  • Be proactive, not reactive. This helps mitigate problems before they happen and saves time and money in the event of an incident.
  • Train your employees. End users are the weakest link in any security program. By having a well-trained staff, you can reduce the risk to your environment.

As organizations are strapped for funds and resources, a well-planned security program can give them the confidence that in the event of an incident, they will be well-prepared and damages will be minimized.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access