Browsing through news online recently, I came across a troubling story.
Last month, Emory Healthcare in Atlanta announced that 10 discs containing electronic records on 315,000 patients had gone missing. That’s sensitive information on every patient who had surgery at three hospitals over a 17-year period.
Naturally, such a security breach is unacceptable under any circumstances. But it’s less important here to indict Emory than to consider how EHR can be made even more secure going forward.
Our business specializes in outsourced scanning and backfile conversion projects and considers three levels of safety and security when it comes to sensitive records like EHR.
First, there’s physical security. This is exactly what it sounds like – literally securing documents. The key here is an auditable chain of custody. Take a backfile scanning project involving tens of thousands of paper patient charts. Whether the job is performed on-site or at a dedicated scanning facility, you must be able to tell where any document is, and be able to access it immediately.
The most effective way to accomplish this is to implement a file tracking system designed to account for all actions: folder pull, delivery, folder check-in, document preparation, scanning, quality assurance testing, re-processing, indexing/exporting/OCR, auditing, folder check-out and in-process check-out.
Card Key access to documents and CCTV are also used to control and monitor the physical plant and equipment.
Part and parcel with physical security is electronic security. This is simply securing electronic information (whether on servers, physical media or stored remotely), and limiting who has access to it. An acceptable level of scrutiny here alone would have prevented the situation in Atlanta. I’ll never understand how 10 critical discs could be allowed to leave the facility. The fact they got out is mind-boggling.
The most important level of security, perhaps, is process security. This is about effective control of the scanning, indexing and archiving process, based on the detection of variances from the project plan in time for the project team to apply corrective measures.
What individuals have access to given documents at any point in time, and for how long? What logging is done of the time spent with the documents? How many people touched the documents? Are documents being scanned as efficiently as planned? All this information is essential to proper security procedures, and can be used to head off potential breaches long before they become a problem.