Magazine article Behavioral Healthcare Executive

Data at Rest = Data at Risk: A Provider Strives to Improve Data Security While Transitioning to an EMR

Magazine article Behavioral Healthcare Executive

Data at Rest = Data at Risk: A Provider Strives to Improve Data Security While Transitioning to an EMR

Article excerpt

Security is a journey, not a destination.

I'm not sure when I first heard this adage, but it never had been more apparent than following Touchstone Behavioral Health's (TBH) initial deployment of a hosted electronic medical record (EMR) system for our highly mobile staff. Due diligence led us to a HIPAA-compliant application with role-based accessibility. We spent months honing policies, fine-tuning procedures, and implementing advanced technologies to secure both our network and individual computers. Training and awareness programs educated users about viruses and worms. Phase one concluded as a major success: We effectively gathered and reviewed confidential client information, securely transferring it to and from our remote data center while providing services out in the community. Although our data "in transit" were protected, we realized that work still needed to be done with our data "at rest"--information stored on local hard drives and removable media.

Creating a secure infrastructure

TBH provides evidence-based outpatient services to Medicaid-eligible children in Arizona. Our model is to meet clients and their families wherever they are most comfortable. Although we support five clinical locations across the state, the majority of our encounters are in homes, schools, or other community locales.

We chose an EMR system from Credible Behavioral Healthcare Software, and it meets all of our primary application requirements: ease of use, intake-to-billing integration, and hierarchical role-based security with full reporting to support our "anywhere, anytime" care philosophy. This software-as-a-service (SaaS) solution enforces strong password authentication and encrypts bidirectional data transmission between us and the vendor's hosted data center.

Between May and June 2007, TBH obtained, configured, and deployed approximately 120 Dell Latitude laptops in preparation for the EMR launch on July 1. To provide enterprise-level security for all of our computers, with minimal end-user impact, we chose Symantec Endpoint Protection, which offers an integrated personal firewall, advanced antivirus and antispam engines, and a "behavior-based zero-day threat mitigation" application (Traditional antivirus solutions look for specific blocks of code or "signatures" within potential "malware" [change the signature and the code slips through]. Behavior-based systems examine the code's intent and block unexpected activities from executing). Combined with our existing traditional network defenses (intrusion detection and prevention, firewalls, application patching, content filtering, and e-mail encryption) and the EMR vendor's secure Web-enabled capabilities, we confidently transitioned from a paper-based system into an exciting new era leveraging technology to support our care model.

In January 2008, we began our review of phase one, and the results were very gratifying:

* User acceptance was nearly universal (Some always will be more resistant to change than others).

* Workflows were streamlined, eliminating redundant steps in the documentation and billing process.

* Contract compliance was improved as TBH's business rules were encapsulated within the EMR to provide proper account coding.

* Per-provider billing was improved by approximately 5%, despite the new system's learning curve and a change of our major regional behavioral health authority midway through the six-month transition.

More importantly, we successfully initiated a culture of data security, merging technology, policy, and user awareness to minimize our risk of a data breach.

This analysis also focused on where data reside within our systems, and how they are protected. We reexamined role assignments within the EMR system to ensure that each provider had access only to information necessary to complete his/her assignments, and that strong password authentication was functioning properly. …

Search by... Author
Show... All Results Primary Sources Peer-reviewed

Oops!

An unknown error has occurred. Please click the button below to reload the page. If the problem persists, please try again in a little while.