Problem solve Get help with specific problems with your technologies, process and projects.

How to make protecting electronic health records simpler, safer

Want a safer EHR system? Assess the risks, log every single error and then assemble a cross-functional team to investigate. It's a painstaking -- but necessary -- process.

When error notifications suddenly stopped arriving for the Epic EHR system at Brigham and Women's Hospital, senior...

scientist Adam Wright and his team wondered if things were really going well -- or if they were going quite badly.

It turned out to be the latter: A full hard drive meant requests and alerts weren't processed -- something that could have, in a worst-case scenario, put patients at risk. In a panel discussion about best practices for protecting electronic health records during the recent American Medical Informatics Association Conference in San Francisco, Wright and others stressed the importance of assessing, monitoring and measuring the health of an EHR system in order to catch small issues before they become big problems.

What's the risk?

The process of protecting electronic health records begins with assessing the risk to the EHR system, explained Dean Sittig, a professor of biomedical informatics at the University of Texas Health Science Center. Sittig pointed to different risk areas that should be considered: clinical content, the human-computer user interface, personnel, clinical communication and workflow, internal policies and procedures, environment and culture, and external rules and regulation.

In order to determine which areas are most at risk and the most likely to cause the greatest harm if things go wrong, he suggested pulling a team of clinicians, technical people and health informatics professionals together to "review, discuss and vote" on the options.

His formula to determine overall risk is to give everything a number between one and five, and then multiply that severity score by the likelihood a risk actually occurs by the number of times the event could occur. Although that sounds complicated, he said once teams start to consider the scope of protecting electronic health records, it becomes straightforward.

"Ninety percent of this is a people problem," Sittig said. "Only 10% of this is actually a technology problem."

What should be monitored?

When it comes to protecting electronic health records, Wright suggests health IT teams break down monitoring into pieces. He said low-level infrastructure should be assessed, including how much hard-drive space is remaining, as well as memory and CPU utilization. Then, the team can look at database performance and the queues and caches in the production system. Finally, if everything is fine at the database level, Wright and his team turn their attention to the Mirth Connect HL7 message router for error messages.

"If you don't monitor these queues, if nobody's watching, something bad could happen," Wright said. "You want to make sure to watch the high-level stuff."

EHR safety checks should also include looking at application performance and user satisfaction, Wright said. And, above all else, when it comes to protecting electronic health records, he stressed the importance of logs.

"You can't manage what you can't measure," he said. "And once you've logged, do something with the data. [Set up] dashboards where you can visualize log data."

Investigate risky events

The final steps to improve EHR safety involve investigation and then potentially mitigation, according to Farah Magrabi, an associate professor at the Center for Health Informatics within the Australian Institute of Health Innovation at Macquarie University in Sydney.

Her advice was to group safety events together and decide on a plan. Less severe events might just need an aggregate review, but she stressed that, in some cases, even near-miss events might need scrutiny.

Investigating teams should be multidisciplinary and include experts in informatics, IT, clinical safety and systems engineering.

"There's no one technique when it comes to investigation," she said.

The team should look at hardware and software logs, the clinical content and the human and computer interactions.

"Go observe the setting to see what was the workflow," she said. "A trained observer can uncover why something happened."

Her final suggestion: Use the same team for consecutive investigations. "You really want the attention to detail."

This was last published in November 2018

Dig Deeper on Electronic medical records security and data loss prevention

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

How does your organization handle EHR-related error messages?
Cancel

-ADS BY GOOGLE

SearchCompliance

SearchCIO

SearchCloudComputing

SearchMobileComputing

SearchSecurity

SearchStorage

Close