For smaller orgs, EHR security is a disproportionate struggle

EHR security challenges

All healthcare organizations have to jump through the same regulatory EHR security hoops or face consequences, often in the form of financial penalties. The problem is, according to Parker, even large organizations struggle to meet basic federal requirements.

EHRs have to be certified by the U.S. government to receive federal reimbursement. Healthcare organizations are also required to complete annual risk assessments and risk management plans and follow up on what they find in terms of EHR security.

Failure to complete these tasks results in fines from the Office for Civil Rights, the enforcement arm of the U.S. Department of Health and Human Services. In a study, Parker assessed HIPAA settlements issued from 2015 to 2020, many of which involved multibillion-dollar organizations. He discovered five key factors for OCR fines related to EHR security. They are as follows:

• Failure to complete a risk assessment;
• Failure to complete a risk management plan;
• Failure to follow up on a risk assessment;
• Failure to properly report breaches within 60 days; and
• Failure to report a breach.

"If these multibillion-dollar companies can't do these five things, what are the odds of a smaller practice being able to do so?" he said. "If they're not doing these, they're also not reviewing changes to the EMR system, they're not reviewing changes to clinical decision support alerts, they're not reviewing who has access and they're not providing relevant training for purposes other than checking a box."

That's why Parker is advocating for changes to the Stark Law and Anti-Kickback Statute safe harbor regulations. These fraud and abuse laws prohibit providers from paying for referrals that receive reimbursement from the federal government or refer patients to a facility where the provider has a financial relationship. Safe harbors outline payment practices that aren't considered kickbacks or bribes to providers.  

In 2019, HHS proposed making the donation of cybersecurity services from larger organizations to smaller healthcare providers a safe harbor. This would mean healthcare systems could donate cybersecurity services for free to physicians who refer patients to its hospital and not face Anti-Kickback Statute penalties. Moving forward with this change will help smaller organizations achieve better EHR security, Parker said.

Improving EHR security

Smaller health systems may face a more daunting task of providing strong EHR security, but they are not alone.

Large organizations are paving the way, discovering the hurdles and working through the kinks -- something smaller organizations should use to their advantage. Parker said smaller healthcare organizations can contract with a larger healthcare system to use its EHR as well as its IT and security support teams that come with that -- teams smaller organizations often can't afford to employ.

"Use their expertise, use their staffing, pay them for their service to help," he said.

Small healthcare providers can also take steps to enhance EHR security without a larger healthcare system's help. One method is to limit who can make changes in the EHR. For those given permission, IT can require two-factor authentication, two forms of identification provided by the user before access is granted.

"I always reference Microsoft in their presentation at RSA earlier this year discussing how, out of all their account compromises, 99.9% of them occurred with people that did not have two-factor authentication," Parker said. "When your sample size is a billion accounts, that's a pretty good sample size. We have to work to make sure access is secure and use two-factor authentication even with smaller practices."