An electronic health record (EHR) may be defined as an electronic system maintained by health care administration and used to collect, update, and store patients’ personal medical information and manage clinical workflows. It has multiple functions essential for high-quality health care delivery, such as the management of orders and results, the capture of patients’ individual data, health information exchange, clinical decision and patient support, population health reporting, and electronic communication (Ehrenstein et al., 2019). The security of EHRs is highly essential as they contain confidential information, including demographics, problem lists, diagnoses, medications, laboratory data, and vital signs, that should be protected.
The Health Insurance Portability and Accountability Act (HIPAA) requires all health care organizations, regardless of their sizes, to secure private health information. In a data-driven world, new vulnerabilities in previously secure systems are being constantly discovered with a rapid change of technologies. At the same time, securing information does not mean the implementation of security solutions once and forgetting about them in the future (HIPAA Journal, 2017). Instead, health care organizations should regularly review their security controls, maintain and upgrade security solutions, and update procedures and policies to ensure information privacy.
In general, medical health records are confidential, and licensees responsible for care delivery should protect information and provide adequate security measures. Control over medical records cannot be relinquished to third parties without an enforceable agreement that guarantees the safety of access to data, the protection of patient confidentiality, and punishment for violation of security rules. In general, common security measures included in a security strategy for their subsequent implementation are the following:
- A firewall for the prevention of unauthorized access to data;
- An antivirus solution and spam and web filters to prevent cyberattacks and malware;
- Data encryption;
- Extensive backups in the case of emergency;
- Physical control in order to prevent equipment and data theft;
- Anti-phishing and security awareness training for medical personnel;
- Updated security policies and the latest versions of software.
References
Ehrenstein, V., Kharrazi, H., Lehmann, H., & Taylor, C. O. (2019). Chapter 4: Obtaining data from electronic health records. In R. E. Gliklich, M. B. Leavy, & N. A. Dreyer (Eds.), Tools and technologies for registry interoperability, registries for evaluating patient outcomes: A user’s guide, 3rd edition, addendum 2. Agency for Healthcare Research and Quality (US).
HIPAA Journal. (2017). How to secure patient information (PHI). HIPAA Journal.