Essential security tips for clinics with EHR systems

As with any program that uses computers or Internet connections, there are risks involved. Electronic health record software is no exception to this rule. RedSpin, a health care IT security company, found in a 2013 study that there have been 804 breaches of protected health information reported​ to the U.S. Department of Health and Human Services since the Health Information Technology for Economic and Clinical Health Act went into effect in 2009. More physicians, hospitals and clinics will continue to adopt EHR programs in the coming years due to meaningful use incentives and the overall benefits to patient quality of care, but data breaches should not stop them. There are a couple of important strategies that physicians and clinicians can practice in order to mitigate the risk of losing health information.

Mobile devices and employees
Jeff Forristal, chief technology officer at Bluebox Security, told mHealth News that users and employees continue to be the weakest link in EHR security protocol.

"They misplace devices, they have weak passwords, they don't log out of workstations, they inappropriately share information, they unintentionally expose the organization to more risk through errant actions, they can be tricked or social engineered," Forristal explained to mHealth News.

Most of these risks can be reduced with strict policies. Always ensure that passwords are strong to gain access to mobile devices or PC user names and access the encrypted EHR system. With rules in place and posted around the clinic or hospital, employees will slowly but surely start adhering to them.

Ensure proper terminology
The culture around technology can be difficult for some to understand. By establishing definitions for acronyms and devices, there should be no confusion among clinical staff members. Furthermore, define certain aspects of EHR systems, programs and computers. If someone does not know what encryption means, teach the person instead of considering it not worth the effort. Taking the time to describe how systems and the cloud work will save staff from needing repeated explanations of the same function.

Additionally, with ICD-10 around the corner, it will become important to define diseases and afflictions. Forbes magazine reported that someone in a hospital once confused Congolese hemorrhagic fever with congestive heart failure because it was simply written as "CHF." The point of implementing ICD-10 and EHR systems is to achieve complete interoperability between providers and medical devices. Mistakes in terminology could lead to lower quality of care and outright confusion.

If a clinic is having security problems, it can be a good strategy to invest in a chief technology officer or employ IT staff members dedicated to creating safety protocols.