Important Security Reminders for CORHIO ParticipantsDate: October 26th, 2016Category: CORHIO e-NewsletterTopics: CORHIO Network, Data Security
With recent news from Boston of a security breach involving data in a health information exchange, the CORHIO Security Team has these timely reminders for our participants.
A healthcare clinic in Boston recently reported a security incident involving a vendor employee, who did not have permission or credentials to access patient information via their health information exchange (HIE), yet obtained a clinic employee’s log-in and password and accessed over 4,000 patient records. According to the report, the vendor accessed “information about payment for medical services - name, address, date of birth, gender, medical services payer information and medical insurance coverage information. For some individuals, Social Security numbers were also accessible.”
CORHIO takes the security of patient data available in the Community Health Record very seriously. Our Security Team utilizes sophisticated auditing and monitoring tools to ensure data security and that users are only accessing patient records for those which they have a clinical relationship. All participants receive extensive training on security, passwords, and appropriate access, and sign a detailed User Agreement (see bottom of this article for a copy). All of our participants have an obligation to keep HIE patient data private and secure, just as they do for electronic health record (EHR) use.
Here are a few tips and reminders about data security as it relates to the CORHIO health information exchange.
- Remember that Authorized Users are responsible for all actions performed under their credentials, so never share log-ins or write them down where others can see them. And never show information from CORHIO to an unauthorized user on your computer screen.
- Schedule regular training of new employees and re-training of long-time employees – include information on what constitutes appropriate access to the HIE.
- Communicate with CORHIO’s Help Desk – any time an employee leaves who had CORHIO log-ins, if you suspect a potential problem/breach, or if you have any security-related questions, we are here to help. Please note: as standard security practice, the CORHIO Help Desk will never ask you for your password.
- Regularly review and update your Policies and Procedures, particularly as they relate to CORHIO and protected health information.
- Evaluate the security controls for all personal computers, laptops, or workstations used to access the CORHIO HIE. We recommend anti-virus protection, regularly updating systems to mitigate known vulnerabilities (patching), providing session timeout controls, and minimizing the use of Internet services that could introduce spyware or other malicious software.
- Periodically conduct a risk analysis to identify threats to your information systems that contain PHI, including the CORHIO system. The risk assessment should be performed whenever a significant system change is made or at least annually. Consider engaging an independent, third party to assist with or perform the risk assessment. CORHIO’s Transformation Support Services can help your with PHI-related procedures and risk assessments.
- As your organization gains new functionality available through CORHIO’s continued technology progress, such as clinical document exchange, re-evaluate your policies and procedures and conduct updated employee training.
APPENDIX A - USER AGREEMENT AND APPROPRIATE USE OF SERVICES
As a condition to being allowed access to the CORHIO Health Information Exchange (“the System”), I agree to abide by the following terms and conditions:
1. I will not disclose my user name and password to anyone.
2. I will not allow anyone to access the System using my user name and password.
3. I will not attempt to learn or use another’s user name and password.
4. I will not access the System using a user name and password other than my own.
5. I am responsible and accountable for all data retrieved and all entries made using my user name and password.
6. If I believe the confidentiality of my user name and password has been compromised, I will immediately notify the CORHIO help desk so that my password can be changed.
7. I will not leave my computer unsecured while logged into the System.
8. I will treat data available to me through the System confidentially, as defined by HIPAA. I will not disclose any confidential information unless required to do so within the official capacity of my job responsibilities, and then limited to parties with a legitimate need to know.
9. I will not access, view, or request information regarding anyone with whom I do not have a clinical relationship or a need to know to perform my job responsibilities. I acknowledge that my use of the System will be routinely monitored to ensure compliance with this agreement.
I further acknowledge that if I violate any of the terms as stated above, I am subject to loss of System privileges, legal action, and/or any other action available