Good patient care means safe record-keeping practices. Do not forget that an electronic health record (EHR) represents a unique and valuable human being: it is not just a collection of data that you are guarding. It is a life.
It is vital to do as much as possible to protect sensitive health information in EHRs. The consequences of a successful cyber attack could be very serious, including loss of patient trust, violations of the Health Insurance Portability and Accountability Act (HIPAA), or even loss of life or of the practice itself.
Meaningful Use criteria make it virtually certain that eligible providers will have to have an Internet connection. To exchange patient data, submit claims electronically, generate electronic records for patients' requests, or e-prescribe, an Internet connection is a necessity, not an option. Basic cybersecurity practices are needed to protect the confidentiality, integrity, and availability of EHR systems, regardless of how they are delivered—whether installed in a physician's office or accessed over the Internet.
All health care practices considered “Covered Entities” under HIPAA (most are) are also responsible for complying with the two related rules of HIPAA: Privacy and Security. The HIPAA Security Rule sets out specific protections that all covered providers must follow in order to protect health information. These practices include administrative, technical, and physical safeguards. These safeguards, when applied well, can help practices avoid some of the common security gaps that lead to cyber attack or data loss. They can protect the people, information, technology, and facilities that health care providers depend on to carry out their primary mission: helping their patients.
People
Information
Technology
Facilities
The Threat of Cyber Attacks: Most everyone has seen news reports of cyber attacks against, for example, nationwide utility infrastructures or the information networks of the Pentagon. Health care providers may believe that if they are small and low profile, they will escape the attentions of the “bad guys” who are running these attacks. Yet, every day there are new attacks aimed specifically at small to mid-size organizations because they are low profile and less likely to have fully protected themselves. Criminals have been highly successful at penetrating these smaller organizations, carrying out their activities while their unfortunate victims are unaware until it is too late.
Our Own Worst Enemy: Even though cyber attacks from hackers and other criminals are popular news stories, research indicates that often times, well-meaning computer users can be their own worst enemies because they fail to follow basic safety principles. This might be due to lack of training, time pressures, or any of a range of reasons.
ONC’s Cybersecurity Checklist [PDF - 507 KB] shows you 10 simple best practices that should be taken to reduce the most important threats to the safety of EHRs. This core set of best practices was developed by a team of cybersecurity and health care subject matter experts to address the unique needs of small health care practices. They are based on a compilation and distillation of cybersecurity best practices for smaller organizations.
The information contained in this guide is not intended to serve as legal advice nor should it substitute for legal counsel. The material in this guide is designed to provide information regarding best practices and assistance to Regional Extension Center staff in the performance of technical support and implementation assistance. The guide is not exhaustive, and readers are encouraged to seek additional detailed technical guidance to supplement the information contained herein.
For more information on how to use this checklist, contact your Regional Extension Center or email: onc.security@hhs.gov.
