makspogonii - Fotolia
EHR security is a disproportionate struggle, where the smallest of organizations tend to have the hardest fight.
Unlike large organizations, smaller healthcare systems tend to lack the resources to implement EHRs from big-name vendors; they also often fail to perform security assessments and examine how the EHR operates, leading to the use of potentially less secure platforms or partnering with EHR vendors that engage in unethical practices, such as Practice Fusion. That independent EHR vendor came under federal investigation for manipulating its system to recommend and advertise opioids to physicians. In January, Practice Fusion was fined $145 million for accepting kickbacks from a pharmaceutical company.
During a session at the virtual Black Hat USA 2020 event, Mitchell Parker, CISO at Indiana University Health, shared steps that small healthcare organizations can take to find EHR security resources, as well as simple, inexpensive steps they can take in-house to beef up security.
EHR security challenges
All healthcare organizations have to jump through the same regulatory EHR security hoops or face consequences, often in the form of financial penalties. The problem is, according to Parker, even large organizations struggle to meet basic federal requirements.
EHRs have to be certified by the U.S. government to receive federal reimbursement. Healthcare organizations are also required to complete annual risk assessments and risk management plans and follow up on what they find in terms of EHR security.
Failure to complete these tasks results in fines from the Office for Civil Rights, the enforcement arm of the U.S. Department of Health and Human Services. In a study, Parker assessed HIPAA settlements issued from 2015 to 2020, many of which involved multibillion-dollar organizations. He discovered five key factors for OCR fines related to EHR security. They are as follows:
- Failure to complete a risk assessment;
- Failure to complete a risk management plan;
- Failure to follow up on a risk assessment;
- Failure to properly report breaches within 60 days; and
- Failure to report a breach.
"If these multibillion-dollar companies can't do these five things, what are the odds of a smaller practice being able to do so?" he said. "If they're not doing these, they're also not reviewing changes to the EMR system, they're not reviewing changes to clinical decision support alerts, they're not reviewing who has access and they're not providing relevant training for purposes other than checking a box."
That's why Parker is advocating for changes to the Stark Law and Anti-Kickback Statute safe harbor regulations. These fraud and abuse laws prohibit providers from paying for referrals that receive reimbursement from the federal government or refer patients to a facility where the provider has a financial relationship. Safe harbors outline payment practices that aren't considered kickbacks or bribes to providers.
In 2019, HHS proposed making the donation of cybersecurity services from larger organizations to smaller healthcare providers a safe harbor. This would mean healthcare systems could donate cybersecurity services for free to physicians who refer patients to its hospital and not face Anti-Kickback Statute penalties. Moving forward with this change will help smaller organizations achieve better EHR security, Parker said.
Improving EHR security
Smaller health systems may face a more daunting task of providing strong EHR security, but they are not alone.
Large organizations are paving the way, discovering the hurdles and working through the kinks -- something smaller organizations should use to their advantage. Parker said smaller healthcare organizations can contract with a larger healthcare system to use its EHR as well as its IT and security support teams that come with that -- teams smaller organizations often can't afford to employ.
"Use their expertise, use their staffing, pay them for their service to help," he said.
Small healthcare providers can also take steps to enhance EHR security without a larger healthcare system's help. One method is to limit who can make changes in the EHR. For those given permission, IT can require two-factor authentication, two forms of identification provided by the user before access is granted.
"I always reference Microsoft in their presentation at RSA earlier this year discussing how, out of all their account compromises, 99.9% of them occurred with people that did not have two-factor authentication," Parker said. "When your sample size is a billion accounts, that's a pretty good sample size. We have to work to make sure access is secure and use two-factor authentication even with smaller practices."