EHRs and information availability: are you at risk? The EHR initiative is changing the face of disaster and the nature of prevention planning

Health Management Technology, May, 2006 by Jim Grogan

On April 27, 2004, the age of the electronic health records (EHR) in the United States took a major step forward. President Bush called for the creation, at the federal level, of a National Coordinator of Healthcare Information Technology within the Department of Health and Human Services (HHS). Today, HHS has appointed the Healthcare Information Technology Standards Panel (HITSP) to coordinate the development of standards, and has awarded contracts to four companies to develop prototypes of a national health information network. The goal for these competing contracts is to see if by using standards-based architectures, information can be effectively shared across what, in essence, will be competing commercial solutions.

Many elements will contribute to the success of national EHR standards, including acceptance by multiple commercial vendors, efficient automated system interfaces to populate the records and maintain data integrity, and support and compliance with all applicable healthcare regulations. When planning for disasters in the age of EHRs, organizations need to consider external and internal authorized users of the electronic health records and their requirements for accessing data. Vigilant security officers and others need to prepare for the very real possibility of unauthorized users breaking into systems and creating havoc. Organizational leaders must realize that EHRs will inevitably fail, and determine how to maintain access to critical data and systems. Finally, organizations must decide how practitioners can provide patient care when the EHR is not available for making clinical decisions.

Reviews of statistics consistently have pointed out that medical practice can be improved by reducing the medical errors that occur during treatment. Errors may be based on incomplete medical records, transcription mistakes, or failure to correlate medical histories with current treatment decisions. The effective use of automation can allow practitioners at every level to make decisions and treat patients to the best of their abilities.

Assuming that broad-based acceptance of national EHR standards occurs in the next eight years, it is reasonable to expect that doctors, nurses and associated practitioners will become dependent on automated information. With vast amounts of personally identifiable information in any health record, consumers face risks of abuse or privacy breaches. There are many examples of this today in the frequent theft of individual financial information. EHR data faces the same type of risks; it requires well designed security provisions and constant monitoring of the effectiveness of this electronic security.

Accessing EHRs

Access and information security go hand-in-hand with EHRs. Within the realm of authorized access, solutions need to accommodate both internal and external users of the system. Internal users--institutions, physician practices or healthcare networks--have regular access to patient information in a constant manner as part of the delivery of care. This includes review of current medical histories, drug interactions and allergies, and various departmental studies such as MRIs, CT scans and laboratory results. Authorized external practitioners may from time-to-time require access to studies or other EHR elements.

In developing the standards, the HITSP is preparing "use cases," which both define and validate the standards with cases that are typical in the practice of medicine. These use cases include clinical vignettes that examine practical access points that are essential to EHR success. EHR value comes from providing rapid access to necessary medical records and departmental results to authorized providers, and an electronic audit trail must be maintained to document the access by each authorized caregiver.

For companies building EHR systems and the institutions that run these systems, access authorization depends on integration with security systems. Individual security authorization systems vary between commercial solutions. One system may be password or smartcard authorized, while another may use biometric identification. To ensure patient privacy, authorized caregivers are only provided access to appropriate information relative to a patient in their care.

Numerous other parties require authorized access, too. These may include insurance companies and payer organizations, drug companies and federal drug regulators, pharmacies and patients themselves. Organizations or individuals may need to access the EHR for legitimate reasons from outside the original care delivery organization. Because they need to have constant and reliable access to those data and systems, the individuals and organizations become stakeholders in any plan to prevent system failure or disaster.

Security of Data and Infrastructure

Each organization that provides authorized access also must prepare for unauthorized access. Hackers, and more broadly speaking, data thieves, view the accumulated EHR data as a valuable commodity. Securing the EHR infrastructure is a given; having effective and vigilant monitoring of all access is a responsibility of each organization that houses or owns the electronic data.