Overview:
Heart City Health Center (HCHC), a federally qualified health center (FQHC) in Elkhart, Indiana, conducts many kinds of evaluations to gauge how well it serves its 10,000 patients. But for the last two years, HCHC has conducted a different sort of evaluation: a risk assessment to evaluate how well the center’s electronic health record (EHR) system keeps patient information safe and secure.
HCHC receives its security risk assessment from the Purdue Regional Extension Center (PurdueREC). According to the center’s operations manager, Fundisani Mangena, MBA, “it’s given us a new way of looking at our security policies.” Mangena noted that as a health center with a limited IT staff, Heart City welcomes the support they receive from PurdueREC, particularly related to rules and regulations governing privacy and security.
Outcome:
PurdueREC’s Senior Advisor for Security, George Bailey, who conducted the evaluation at Heart City, explains the process, which requires a full day.
First, Bailey leads the center’s IT Manager, corporate compliance officer, and Mangena through a battery of questions to determine exactly how they implement their privacy and security policies. He also conducts a review of all written policies.
Bailey then conducts a walk-through of the center, evaluating the risks of disclosure of patient information at each step of the patient flow process from triage to patient reception, and elsewhere. He also examines risks from a workflow perspective: how do staff members access the EHR; how do they protect their passwords; can passersby see information displayed on desktop monitors?
As a final step, Bailey assesses the IT system itself. “We look at how well the operating system is configured from a security perspective,” Bailey explained. “We can always secure a computer — one with multiple log-ins, for example. But once you take it to that level, people will find ways around it to get their work done. Providers have good intentions. They want the information to be secure, but they also have to see 30 patients that day.”
Lessons Learned:
Security must be tight, but can’t interfere with providers serving their patients. Mangena suggests striking a balance to make the patient information as secure as possible, while at the same time making the data readily available to clinicians to provide the best possible care.
“It’s not just about privacy and security,” he said. “It’s also about the availability and integrity of the information to the provider at the point of care. So security must not become a barrier to treatment. That’s the way we’re looking at it now, as we’re building our systems and policies for the future.”