Managing Electronic Health Record Security

Identity and Compliance in the Age of Cloud EHRs

In 2020, the United States saw 616 healthcare-related data breaches. Not surprisingly, this gave hackers access to huge volumes of protected health information (PHI), which sells for $250 per record on the Dark Web. The dangers are well-known: bad actors can use stolen health records to create false medical claims, phony prescriptions, targeted phishing campaigns, and multiple identities.

In the healthcare industry, the cost of a  breach is as high as $408 per record (on average). And this doesn’t count the impact to an organization’s reputation or additional regulatory oversight and remediation costs. Failing to provide patients with timely access to their health records can also evoke penalties. But outside threats aren’t the only security challenge facing the healthcare industry.  48 percent of reported health information breaches stem from inside organizations. The wrong employees accessing patient health records can result in significant federal and state fines. It’s no surprise that IBM Security places the cost of healthcare breaches at $7.13 million, the highest in any industry.

Securing PHI and the Rise of EHRs

The Health Insurance Portability and Accountability Act (HIPAA) was the initial push to protect patient health information in 1996. But it wasn’t until the 2010 Patient Protection and Affordable Care Act (PPACA) that many healthcare organizations moved to incorporate Electronic Health Records (EHRs) into their operations. Today, EHRs house vast amounts of PHI.

Despite the native security controls in EHRs, managing secure health records access for tens of thousands of providers, patients, and associates at once is a significant strain. Worst of all, this can negatively affect patient care.

Healthcare has traditionally lagged behind the technology curve for patient privacy and security, primarily due to legacy systems and reliance on a mix of disconnected point solutions. Applications often have separate access management interfaces that aren’t integrated into an Identity and Access Management (IAM) or federated login (SSO) framework. The administrative overhead of adding, removing, and suspending these accounts — in conjunction with ensuring effective audit and compliance logging — is a monumental task, adding an additional burden on overloaded hospitals and healthcare organizations.

Protecting EHRs from cyberattacks and mishandling of health information presents a complex and urgent challenge for the healthcare industry. This article will look at how modern healthcare organizations can leverage identity management capabilities to improve their security posture and meet continuous compliance standards.

Defense Outside Traditional Walls

As organizations continue to move their EHRs to the cloud, more electronic health records reside outside traditional network security boundaries. Ensuring their protection is vital to maintaining HIPAA compliance and avoiding the high costs of breach remediation.

Cloud-based EHR systems require additional configuration and management to ensure that data is secure. These systems no longer use fixed assets, and instead, instances of servers come and go in the cloud. To make matters worse, these challenges can’t be solved by traditional role-based identity solutions that healthcare companies have relied on in the past. Legacy tools simply aren’t built to manage this.

It’s easy for organizations to turn to role-based solutions to ensure that access is readily available, but this can contribute to over access and misuse of access, leading to HIPAA violations. Role-based solutions don’t provide organizations the visibility into identity misuse or over-allocation. And they don’t meet the stringent HIPAA guidelines for enforcement of the principle of least privilege and segregation of duties (SoD).

To guarantee that their data is protected, healthcare organizations need to understand how it’s used. Drawing the perimeter at identity allows organizations to control their PHI access no matter where this information exists. 

Learn more about how healthcare providers can balance information sharing and patient privacy for better care.

Integrated Identity Solutions Strengthen EHRs

Cloud Electronic Health Record use continues expanding and accounts for a majority of the market share with the rapid acceleration of cloud migration. Cloud-based EHRs can’t  effectively balance patient privacy across diverse user populations and data storage locations alone. HIPAA requires that risk-based controls are applied consistently and continuously by healthcare organizations to remain in compliance.

Organizations need additional support to maintain the principle of least privilege for transient care providers, labs, clinics, and specialists to prevent accidental or malicious privilege misuse. This requires deep visibility into how access is currently assigned and contextual information to evaluate access requests for risk. Streamlining the process by automatically approving low-risk requests while higher-risk requests are escalated for further review reduces administrative overhead.

See how Saviynt’s Integrated Solution uses automation to streamline access requests.

Electronic Health Record system providers such as Epic or Cerner benefit from integrated identity solutions that provide fine-grained entitlements and controls to enforce risk-based access policies. This helps to meet regulatory compliance and industry standards. Integrated Identity Governance and Administration (IGA) solutions log and monitor the state of applied controls and access. This automated tracking of access data streamlines the audit process and enables the continuous and consistent application of access controls.  

EHRs & IGA are a Winning Combination 

An IGA solution that integrates with major EHR providers enables healthcare organizations to embrace the benefits of cloud transformation without sacrificing security or compliance. Providers gain in-depth insights into how rights and access for users are assigned. Using risk-based analytics, they can manage requests and quickly deliver access without sacrificing security. By consistently monitoring the environment, they can meet auditors’ needs, providing evidence that organizations are continually in compliance.

Read more about what the future of healthcare security holds in Future-Proofing Healthcare Security.