VPN Haus: What are the basics for provisioning employees at healthcare organizations?

Maglothin: All systems should have all users using unique passwords. Thus, the system has an electronic audit trail to record which employees accessed which records, with statistical outlier reporting.

VPN Haus: How do you ensure that the records are not so tightly controlled that it delays specialists asked to consult on the case or ICU personnel from urgently accessing the records?

Maglothin: All stations should have a time-out feature, and work stations in areas such as ICU and CCU are considered more secure/personnel constantly present, so the station’s time out may be longer. Once a station is logged-on, switching users by password should be real-time.

The greater issue is all the bedside workstations/wireless devices. If it takes more than 15-30 seconds to log-on (some take 90 seconds), then if a physician logs-on to 30 patients a day, that’s 45 minutes of lost PHYSICIAN productivity – no patient care and no reimbursement. Doesn’t sound like much. But calculate 40 hours per week for 250 days per year, this equals 188 hours or more than 4.5 work weeks lost to nothing but logging in!

VPN Haus: Staggering. So, if the consultant couldn’t access the records, it would be an example of a poor sensitivity error. What other errors should healthcare organizations be mindful of?

Maglothin: There’s the error of excessive credulity. An example would be a unit clerk on a certain building having a password that would allow her access to, say outpatient records or mental health unit records, for which she would have no reason to have access to.

There’s also the error of excessive skepticism. An example would be, a cardiologist might not be cleared to access mental health records, but one of the patients has just had a cardiac code and the cardiologist is called in for a STAT consult.

Marshall Maglothin is owner of Blue Oak Consulting, based in Washington DC.

The push is on for adoption and if healthcare providers don’t adapt, they face some potentially sharp teeth. We read that, “Failure to implement EMR by 2014 may result in increased malpractice premiums and increased exposure to malpractice claims, as well as a reduction in Medicare reimbursement, beginning in 2015”. Ouch!

So what’s the tie to VPN’s? We see a significant portion of the EMR communications being wireless. Don’t believe us? Next time you’re in a hospital, take note of all the handheld devices the staff is marching around with. How about hospice workers who update records via PDA’s? How about in-facility WLAN and WiFi networks? Doctors use laptops from room to room and hotspots are popping up in cafeterias, waiting rooms, etc. all over the country. The list goes on and as it grows so does the threat to information traveling wirelessly.

EMRs are a great benefit to the healthcare industry and have the potential to improve patient care definitively. With solid VPN’s in place, HIPAA can be satisfied as well as protecting the great benefits wireless communications have on worker productivity. The right VPN tech is important too – avoiding vendor lock, ensuring the tech fits facility policy and doesn’t force policy changes, and it must be easy enough to users that they don’t even notice it’s running (otherwise, they’ll find a way around it!).

HIPAA is a collection of standards striving for an effective and efficient method of exchanging information to the right people in a secure manner, thereby creating streamlined workflows in an electronic environment, and so delivering higher quality yet affordable health care. The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

The Privacy Rule protects all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. The Privacy Rule calls this information “protected health information (PHI).”

This ranges from keeping file cabinets/record rooms locked, stricter access controls to computers (password requirements or smart card authentication), to the more complex data storage, digital signatures to ensure non-repudiation, etc.

Let’s focus on the PHI that is being transmitted, or in other words, when Electronic Protected Health Information is being transported over open networks: that’s where secure communication plays a role; this is where NCP steps up to the plate.  These requirements are not by any means limited to HIPAA, as these same requirements are also applicable to the financial institutions, government departments, police departments, and so forth.

What our customers in these different fields appreciate is NCP’s understanding of secure communications: the safeguarding of the data in transit; but also verifying the authenticity and authorization of the person receiving and transmitting the information by means of strong authentication (multi-factor authentication).  The HIO in question can select which vendor/provider they want to use for this; be it a PKI environment with smart cards or an OTP setup, NCP is flexible and will allow for this freedom of choice.

- Strong Authentication: the assurance to one entity that another entity is who he, she, or it claims to be,

- Integrity: the assurance to an entity that data has not been altered (intentionally or unintentionally) in transit,

- Confidentiality: the assurance to an entity that no one can read a particular piece of data except the receiver(s) explicitly intended.

Of course one can impose a lot of restrictions on the user; but besides some user awareness (often overlooked; as not everything can be locked down by technology — think about discussions about patients and treatments in public areas between personnel or with family members), is user-friendliness.  When a user is confronted with a lot of barriers that keep them from performing their work in an efficient effective manner, they will inevitably find a way to circumvent this.  By making the procedure of establishing a secure connection as easy and as transparent as possible for the user, yet maintaining a high level of security, an administrator can tick this requirement on the list and have the assurance that this base is covered.