Commentary
Elevating your encryption practices
Last year, cybercrime cost the global economy more than $450 billion; more than 2 billion personal records were stolen and, in the U.S. alone, over 100 million Americans had their medical records stolen1.
Whether or not your organization leverages a content services platform, your system must keep sensitive data and critical information from unauthorized users at all times.
Protect data at every state
An enterprise information platform, such as OnBase by Hyland, should encrypt your healthcare organization’s data—whether clinical or administrative—so that it is secure while at rest, in motion, and in use.
Files should only be decrypted when accessed by a user with rights and privileges. By encrypting any personal information stored in databases, organizations ensure the values cannot be used by identity thieves, if compromised.
Encryption protects data in transit, too. Transport Layer Security encrypts communications from end-to-end, rendering data useless to potential attackers. Role-based access controls enable only authorized parties to view or modify files and metadata while in use.
More than full-disk encryption (FDE)
A good start to protecting data at rest is FDE. When a user powers on a machine and enters the key to decrypt the drive, the drive is then re-encrypted when the machine is powered off. While FDE protects information from hard drive theft if it is ripped from the machine, unauthorized access while the data is online is still possible.
Even with FDE, a criminal could access remote file shares, and view and tamper with files. FDE also does not address security concerns that arise when continuously hosting files online. A good security policy should resemble the structure of an onion—multiple layers of security are essential at all times.
FDE does not protect individual files by encrypting them until a party with rights to view or modify accesses the file. When only FDE is employed, an unauthorized user could search the system for files that contain customer metadata, resulting in a compliance breach, such as HIPAA violations.
A winning combination
Combining FDE and file encryption is recommended. Encrypt individual files, decrypting them only when a user with viewing rights tries to access them from within their content management solution.
Separately, FDE and file encryption are imperative security measures, but the combination makes your system even more secure. When reviewing file protection policies, consider each approach. Implementing both FDE and file encryption helps defend against more threats than if only one is employed.
Reference
Patient Portals
Analyzing patient access to personal health information
Survey highlights trends in consumer access to health information via patient portals
Four out of five consumers take advantage of their healthcare provider’s patient portal, according to a 2016 survey on consumer access to health information presented at the American Health Information Management Association (AHIMA) 89th Annual Convention & Exhibit in Los Angeles.
The availability of electronic health records has increased significantly since 2009, when the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law, allowing consumers to access their healthcare information in a meaningful and secure manner.
The survey results revealed a significant reduction in charging consumers for access to their medical records; a significant increase in portal availability; and a moderate usage rate of Personal Health Records (PHR). Those results, in comparison with a similar 2013 survey of HIM leaders, showed the following key data:
- Eighty-two percent of consumers accessed their electronic health record through their provider’s patient portal in 2016 compared to generally less than 5% in 2013.
- In 2016, only 10% of consumers were charged for copies of their personal health information when they were requested, compared to 65% in 2013.
- Less than half of consumers surveyed reported that they maintained a PHR in either paper or electronic form.
Survey results also uncovered that consumers who had healthcare experience were no more likely to use a patient portal or maintain their PHR than consumers without healthcare experience. In fact, opportunities exist to educate not only consumers, but also other healthcare professionals about how to access their information.
“Although we have seen a dramatic improvement in patient engagement with their PHI, there is always room for improvement,” said AHIMA interim CEO Pamela Lane, MS, RHIA. “Health information management professionals have an obligation to continue to assist patients and others in accessing and maintaining their own personal health record.”
AHIMA is dedicated to helping healthcare providers streamline patient health information request processes to ensure they are compliant with the Office for Civil Rights’ (OCR) guidance on an individual’s right of access under the Health Insurance Portability and Accountability Act (HIPAA). Announced in July 2017, the Patient Request for Health Information form is intended to be used as a template—to be modified with organizational specific contact information—and given to patients or their designated personal representative when requesting access to health records. AHIMA
Alarm Management
You rang? Researchers address “alarm fatigue” among staff and the rate of false alarms
In the ICU, it’s uncommon to hear silence—buzzing, beeping, and ringing of alarms are part of the hum of the ICU environment. The Joint Commission attributes many alarm-related incidents and deaths to the “alarm fatigue” hospital workers face. Alarm fatigue happens when staff “tune out” the background sounds, and can negatively impact patient safety and potentially lead to life-threatening events. Two studies from researchers in New York aim to decrease alarm rates, tackle alarm fatigue, and assess alarm accuracy in the ICU.
Researchers from Harlem Hospital Center embarked on a quality improvement project with the main aim of improving response time to alarms by reducing alarm frequency. The project was designed to address alarm-setting strategies institutionwide, decrease the frequency of alarms in the critical care units and to ultimately improve patient safety by decreasing alarm response time to less than 60 seconds.
The project took place in the 20-bed adult intensive and coronary care units. All clinical alarm-sounding devices were audited and the three devices with the highest alarm frequencies and greatest impact: Bedside cardiac monitors, infusion-pumps, and mechanical ventilators were targeted for alarm reduction interventions. Data on the frequency of alarms and response-time were gathered through 20-minute observation intervals pre-and post-intervention. Average alarm rates decreased significantly by over 70% from 4.5 to 1.3 alarms/patient/hour at four-months post-intervention. However, there was no improvement in response time. This important outcome challenges the presumption that reducing alarm frequency will necessarily lead to a decrease in alarm fatigue and an improvement in response time.
In the second study, researchers from Maimonides Medical Center analyzed the accuracy of cardiac monitor alarms in the intensive care unit (ICU) using the hospital’s standard protocol. This project took place in the ICU of a teaching hospital for one year, with a total of 2,408 alarms that occurred among 350 patients. Each alarm was studied retrospectively for the occurrence of an actual cardiac event suggested by the alarm. Results found that a large number of alarms in the ICU are false, without any clinical significance, despite following the standard protocol to reduce false-positive alarms. EurekAlert!
Telehealth
Making appointments easier for veterans
The United States Department of Veterans Affairs (VA), an early adapter of telehealth since the 1990s, operates a large telehealth program in the U.S. with 700,000 Veterans receiving telehealth services for 50 different specialties. The initiative to enable regulation and technologies that allow providers to offer telehealth services to veterans anywhere in the country is called “Anywhere to Anywhere, VA Healthcare.”
Dr. David J. Shulkin, Secretary of Veterans Affairs, recently announced two new digital apps to be implemented across the VA in its mission to expand patient access using telehealth.
The newest app, called Veteran Appointment Request or VAR, allows veterans to schedule, change, or cancel appointments directly with VA providers. VAR makes it possible for veterans to self-schedule primary care appointments and request assistance in booking both primary care and mental health appointments. It is available in all 18 VA regions, and already 4,000+ appointments have been booked.
The second app is called VA Video Connect. Using encryption to ensure a secure and private session, it connects veterans with their healthcare team from anywhere. The app makes VA healthcare more convenient and reduces travel times for veterans, especially those in very rural areas. VA Video Connect is being used by more than 250 VA providers across the country and is available to all VA facilities as of October 2017.
Many of the VA’s telehealth capabilities are powered by GlobalMed, the telehealth provider for the White House. The VA uses mobile medical stations, the Transportable Exam Station (TES), the ClinicalAccess Station, and Xpress, which Dr. Shulkin demonstrated to President Trump during a VA telehealth event in August.
The GlobalMed Transportable Exam Station is housed in a rugged case that enables providers to travel to their patients in remote environments and still provide quality, evidence-based care. ClinicalAccess Station is a configurable telehealth station that can accommodate a wide array of examination capabilities using integrated video conferencing software and connected medical devices. Xpress is a compact, mobile medical cart that serves as a hub for all telehealth consultations. With a slim footprint, built-in WiFi and Ethernet and connected medical devices, Xpress fits into small clinical spaces.
These devices provide clear images combined with the highest sound quality, and enable clinicians to collect the critical data needed to treat patients, regardless of location. GlobalMed