The CIO leads the Information Technology Department maintaining the function of SETMA’s electronic health record. The CIO is responsible for:
- Maintaining the functions of SETMA EHR. Making sure that the system is available twenty-four hours a day, seven days a week as SETMA uses the system in all seven clinics, 24-hours-a-day in four hospitals, in five emergency departments, in twenty-two nursing homes, in all providers’ homes and in numerous other sites.
- Upgrading systems including services, connections and other hardware and software tools for optimal use of the EHR.
- Strategic planning for the IT Department to make sure the CEO and COO are aware of capital expenditures needed for electronic patient management.
- The integration of over 75 distinctive software packages.
- The backup of all systems and the securing of those backups off site and in secure locations.
- Security for all systems, laptops, portals and points of access to SETMA’s systems.
- The Chief Information Officer (CIO) approves information security governance processes and exceptions.
- HIPAA compliance for all information technologies.
Security €“ The Key to CIO’s Responsibilities
The major function of the IT Department is security. For SETMA, the complexity of the security issue is greater than the typical practice. The ideal of EHR is achieved when every healthcare encounter is documented in the same record. SETMA uses the EHR in the clinic, at the providers’ homes, in the emergency department of all hospitals in our area, in all nursing homes in our area, in all hospitals in our area, in hospice, home health, physical therapy and from remote sites when providers are on vacation and want to keep up with their patients and/or to answer questions which arise.
The question of security is complicated by this access. All information is protected by 256 bit encryption and by security codes. In sixteen years of using EHR, SETMA has not had a security breech. As improved security tools have become available, SETMA CIO has upgraded our system to improve the security.
Two Factor Authentications
Two factor authentication means the provider has to have something he/she physically possesses combined with something he/she knows. The physical device is called a “smart card,” which has a small computer chip which is programmed and which is tied to a specific user’s account. The something you know is similar to a traditional password. Someone can steal your smart card, but if they don’t have your password it is worthless. Conversely, they can know your password, but unless they have the physical smart card it does them no good. Currently, neither HIPAA nor MU require two-factor authentication but SETMA believes that in the future it will be. SETMA has a security policy that requires employees to report a misplaced, lost or stolen card. When a card is reported missing, SETMA’s IT Department can inactivate that card rendering it useless and our system safe.
Remote Access with Random Number
Remote access to SETMA’s HER now requires your name, your personal password and a random, computer generated eight-digit number which changes every sixty seconds. The number is generated by a product is published by RSA named SecurID. Like the “smart card,” RSA is a physical device that is tied to the user’s account. This device generates what is known as a one-time password. It is a password that is only valid for sixty seconds.
Scanning our System
Keeping systems updated with the latest patches and firmware is critical but challenging. Not doing updates increases the opportunity for data breeches or for inappropriate access. It would take numerous employees to keep checking our systems to make sure there are no security risks or updates we have overlooked. But, the problem created by technology, i.e., security can also be solved by technology. SETMA has incorporated a device in our system which at regular intervals scans our system. This product is named Nexpose by Rapid7 and is considered the enterprise leader in vulnerability management and penetration testing. It continually looks at all software in our system. It regularly sends a report to SETMA’s CIO about new versions or upgrades of the software that we use. It tells the CIO that SETMA is on one version and another is available. Included in that report, is an assessment of the value of the upgrade and the security risk of not upgrading to the new version. The risk is graded as moderate, severe and critical.
Plugging and Playing
With multiple locations and hundreds of secure devises being used by SETMA, another significant risk to our security was the potential for an employee or someone else bringing an external device, such as a laptop, and plugging it into our system. Regardless of the intent, whether innocent or criminal, this presents a great risk to our systems. The risk could be a virus getting into our system, or someone trying to steal data. By upgrading our switches to state-of-the-art Cisco switches, we are now able to identify “unapproved” devices and refuse them access to our network.
Log of Activity
With a paper medical record, there is no way to know who has looked at a record. With a robust EHR however, it is possible to know everyone who has looked at, accessed or entered data into a chart. With SETMA’s state-of-the-art EHR, an electronic log is kept of all activities related to a patient’s record. In the past several years, SETMA had occasion to need to know if a particular record had been inappropriately accessed by another person. We are so serious about this issue that typically, even when there is a legitimate need to know something about a record, if that need is not involving patient-care or safety, that chart is not looked at without legal counsel and direction from counsel. In the case above, it was reassuring to discover that no one had looked at or accessed that chart inappropriately.
SETMA has upgraded that ability. While various parts of our system created a log of activity, we did not have a cumulative log over our entire system. In our security analysis, we discovered that that was a HIPAA requirement and we have remedied that. Henceforth, if a patient raised a question or any other legitimate authority raised a question about access to any health information, SETMA will be able to comply with that legitimate and legal question via a log which contains information on all access and activity from all devices about a particular patient.
Because we live in an electronic age, electronic communication is important. Where it is important to share patient information which is compliant with HIPAA, the connection between both ends of the communication must be encrypted. It is not feasible to encrypt traditional email between SETMA and the thousands of patients we serve. This is why we have partnered with our EHR vendor to offer NextMD to our patients. NextMD is a secure web portal that allows patients and SETMA providers to communicate securely.
Email continues though to present a security risk by employees accidentally sending emails out that might have protected health information (PHI) in them. SETMA has implemented Cisco’s Ironport product that provides data loss prevention (DLP) technology. All outgoing e-mail is scanned for prohibited information. For instance, if an e-mail includes a patient’s social security number or other confidential information, that e-mail is prohibited from being sent.
Minimum Necessary Access
One of HIPAA’s primary requirements is that “minimum necessary access” to patient information be established so that a specific employee can do his/her job without having access to patient information which is not required for the performance of that job.. All of SETMA’s employees do not need to have the same access, or perhaps any access to all to SETMA’s patient records. Therefore, SETMA’s executive staff reviewed the responsibilities of each employee and set up their account in SETMA’s system to allow access only to what they need. This is also true of external organizations which have a HIPAA-compliant need to know information and which have an encrypted access to our system; their access is limited only to that which they need in order to serve our mutual patients’ needs and interests.
Back up of all of SETMA’s system and information
Another aspect of security relates to what happens if SETMA’s systems are destroyed by fire or natural disaster. SETMA has state-of-the-art, encrypted, digital tape backup of ALL SETMA system information, as well as the integration of the various parts of our system. Daily a copy of that tape is taken off premise and monthly a copy is placed in a safety deposit box in a local bank.
For SETMA, we have in place a “disaster recovery plan” so that all of SETMA’s systems and information can be restored within a few days, even if our IT Department and server room were totally destroyed.
HIPPA Policies and Standards
SETMA’s Information Technology Department has developed and established comprehensive policies and standards by which to guide the department and all of SETMA in the maintenance of HIPAA Compliant, secure and confidential medical records and medical information in an electronic environment. Security and compliance is not just the responsibility of SETMA’s IT Department but includes all departments and providers. There are several dozen such policies and standards. SETMA has introduced all of SETMA’s staff and providers to these policies and each staff member and provider has signed a compliance agreement document which affirms their understanding of the policy and their pledge to be guided by it and to comply with it.
“ This policy is established to ensure all SETMA facilities, practices and personnel: Comply with federal HIPAA privacy and security regulations; adopt and enforce appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of protected health information (PHI); Safeguard confidential information from unauthorized access and use; and Maintain the confidentiality, availability and integrity of electronic information assets for which SETMA is the custodian according to SETMA Policies and Standards.”
Each policy and standard has a “scope” which relates to the specific issue addressed by the particular policy. The intent of each policy is stated in the “policy section” of each of the policies and standards:
“The Health Insurance Portability and Accountability Act (HIPAA) is a federal law. As part of compliance with HIPAA regulations, SETMA has defined policies and procedures for handling the privacy and security of health information. Information assets are valuable, and thus their integrity, availability, and confidentiality are essential to the business and to the patients we serve. Information assets shall be protected commensurate with their defined value, risk, and legal requirements.
“All SETMA facilities must apply prudent measures to protect the confidentiality, availability, and integrity of electronic information assets. In addition to implementing the SETMA information security policies and standards, each facility must implement and oversee procedures to support the SETMA Information Security Program and to comply with applicable federal and state regulations. Facilities in states with additional requirements must gain SETMA Corporate assistance to implement policies that address state-specific requirements.
“Information Security Program Elements
“The SETMA Information Security Program consists of policies, procedures and standards provided by the Corporate Information Technology Department. Each SETMA facility will implement the Corporate Information Security Program and any additional facility-specific information security procedures necessary to support compliance with applicable federal and state requirements.”
SETMA Policies include an explanation of the penalty for non-compliance. This section of the policy manual addresses:
“Suspected violations of this policy must be handled in accordance with this policy, the SETMA Code of Conduct, and with SETMA Compliance Policies. Each facility must implement and enforce the SETMA process for promptly reporting violations. Violations must be reported to the Facility Security Officer, Facility Privacy Officer and the Corporate Security Officer, as warranted. (See policy on Security Incident Reporting and Response).
“The Chief Information Officer (CIO) approves information security governance processes and exceptions. Exception approval is based upon risk management reflecting appropriate, reasonable, and effective information security measures for a given situation.
Security Program Policies and Standards
“Refer to the currently-approved list of SETMA security policies and standards. These policies and standards will be reviewed and updated at least annually.”