Launching a new Electronic Health Records (EHR) system is a milestone for any hospital or healthcare practice’s IT modernization program. Known as the go-live event, this activity culminates significant investments in time and resources across a variety of cross-functional departments. Success is measured by the staff’s adoption of the new system and its positive impacts on costs, efficiency, and patient care outcomes. However, modernization programs and go-live plans often overlook potential data leaks, cybersecurity incidents, and their negative impacts.
The U.S. Health Resources & Services Administration, a part of the Department of Health and Human Services (HHS), recommends that health care providers thoroughly evaluate and plan all aspects of EHR implementations, allocating adequate time to set up infrastructure and train staff on new operational tasks. The administration strongly suggests running tests to ensure all EHR builds are complete, that hardware, software and network interfaces are compatible, and that backup and downtime procedures are in place.
Processes for maintaining secure infrastructure and preserving the privacy of Protected Health Information (PHI) need to be top-of-mind as well. With regards to email security, HHS suggests these best practices:
- Treat unsolicited emails from individuals asking about you, your employees, your colleagues or any other internal information with extreme caution.
- Do not reveal personal, health, or financial information in unencrypted email, and do not respond to emails soliciting this information. This includes following links sent in email.
- Install and maintain anti-virus software, firewalls, and email filters to block potentially nefarious traffic.
- Take advantage of any anti-phishing features offered by your email client and web browser.
- If you are unsure whether an email is legitimate, try to verify it by contacting the sender directly via phone.
The Health Insurance Portability and Accountability Act (HIPAA) permits health care providers to use email to discuss treatment with their patients, but healthcare staff should vigilantly protect the privacy of PHI in the process. Per HHS’s guidance:
“…while the [HIPAA] Privacy Rule does not prohibit the use of unencrypted e-mail for treatment-related communications between health care providers and patients, other safeguards should be applied to reasonably protect privacy, such as limiting the amount or type of information disclosed through the unencrypted e-mail.” – U.S. Department of Health and Human Services
While the recommendations don’t explicitly mention it, email encryption is a vital defense tool for safeguarding sensitive healthcare information in these scenarios.
Safeguarding Your EHR
Modernizing healthcare with a new EHR system does not mitigate the inherent risks in sharing PHI via email. EHRs are not a panacea. Healthcare organizations should complement EHRs with processes that enhance security and maintain HIPAA compliance as PHI is shared. Data-centric protection via end-to-end email encryption is a straightforward and effective way to complement the efficiencies of EHR systems with security and privacy assurances. Effective solutions should work seamlessly with existing email applications like Gmail and Outlook and browsers like Chrome to ensure adoption among healthcare staff. Data-centric protection that gets adoption and enhances security awareness goes a long way toward safeguarding PHI to address the security concerns that accompany EHR data exchanges.