At one facility, observations that subsequently led us to a focused remediation path included:
1. The compliance organization at the facility was hampered by inadequate technology, resources and processes for monitoring and acting on potential privacy violations.
2. Application security vulnerability identification and management by the EMR vendor was inadequate and sorely needed
3. Security monitoring especially at the application and database level needed substantial improvement.
4. Secure data lifecycle management was not a priority during EMR system deployment. As a result items of specific concern included:
- Haphazard long term data storage and archiving approach
- Inappropriate data purging
- Murky data ownership responsibilities
- Inadequate procedures and systems for information asset discovery
- Inadequate data classification
- Insecure handling of physical media
While contemplating doomsday scenarios alone is not helpful, we believe that hospitals and large health institutions must tackle the notion of security and privacy in a very diligent and holistic way--almost akin to what the financial industry did to secure their transaction systems in the mid 2000's. Without a concerted effort at every layer of the information infrastructure (device, network, and application), strict policies and use guidelines, and accurate monitoring capabilities, EMR deployments could crawl to a halt. The country needs better answers for securing EMRs. With the imminent outlays proposed by our new President to modernize our health care system, security professionals must step to the fore.
Feisal Nanji, CISSP, is Executive Director at Techumen, a consulting firm that focuses on security, compliance, and privacy issues for health institutions. He can be reached at: feisal@techumen.com.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.