By Greg Park
There was a very interesting article in the WSJ earlier this year.
It is impossible to secure all of your patient information.
That is the bottom line. All of your security measures, encryption securing data both at rest and in motion, and all role-based access to your data will not protect you from authorized users using data in unauthorized ways.
That being said, you still have to do everything you can to secure your data. You must apply the best security that is accessible to you. In that light I want to share with you best-practices on securing patient data in Rasand RASi.
Ensure Ras and RsaSi users see only documents required to complete their jobs. If your director of surgery uses Rasi, make sure he or she only sees patients with a hospital service of surgery. Make sure that patient accounting users can’t see clinical reports. Lock down the ability to print copy or email to only necessary users, and then make sure you run detailed audit reports on those users.
Ras and Rasi are chock-full of audit reports that can be scheduled and run on-demand. Reports can be run to analyze when PHI has been emailed, printed, copied or viewed. Make sure you look at this information and find out when PHI is replicated outside of your Ras or Rasi environment.
Global time-outs can be established for Ras and Rasi. Make sure you use this so that when user leave their screens another user won’t be able to snoop their session.
Emails can be setup as an automated workflow or launched interactively by authorized RAS and RASi Users. Assure that RAS Auto-Emails containing PHI are encrypted, and then make sure that emailing and printing are your best options. Sometimes forcing outside recipients to view documents via RAS or RASi WEB are the best option, because once you print it or email it, you have abdicated control.
There are ways that you can de-identify PHI in Ras reports using Monarch. Email firstname.lastname@example.org if you want more information on how to do this.
These are simple steps that can go a long way towards protecting your PHI, but nothing beats a well informed user. Best practices entail assuring authorized users understand the implications of revealing PHI, and making sure they understand that you take their guardianship of this data seriously.