Manage Learn to apply best practices and optimize your operations.

Locking down security in the move to electronic medical records

An IT pro shares security and project success tips gleaned from his two-year odyssey to move a group medical practice to electronic health records.

The security of electronic medical records (EMRs) is front and center, as President Barack Obama's administration prepares to spend $19 billion to make digitized patient health records standard procedure for the nation's hospitals and physicians. That sum includes incentives of more than $40,000 per physician and up to several million dollars for hospitals. The aim is to improve medical care, increase the efficiency of heath care delivery and ultimately cut health care costs.

Recent studies suggest there is a long way to go before this happens -- and, along the way, a great risk indeed to sensitive patient medical information. A study published this month in The New England Journal of Medicine found that only 17% of U.S. physicians use either a minimally functional or a comprehensive electronic records system. The adoption of EMRs by U.S. hospitals is lower -- only 9% -- and chiefly among larger hospitals in urban areas.

M. Eric Johnson, professor of operations management and director of the Center for Digital Strategies at Dartmouth College's Tuck School of Business, enumerates in alarming detail the potential financial risks to firms and medical risks to patients of EMRs in a study published in February called "Data Hemorrhages in the Health-Care Sector." The extent of data leakage -- inadvertent and malicious -- suggests that medical fraud could surpass financial fraud and will require, among other measures, better control over information access by health care providers and insurers and punishment for offenders. Indeed, medical professionals are historically the largest group of health care fraud perpetrators.

It is absolutely Big Brotherish.
Don DeasIT manager, Gastrointestinal Associates and Endoscopy Center PA

As taxpayer money is poured into digitizing medical records, IT professionals must be vigilant in pushing for a layered and comprehensive security strategy, agrees Don Deas. IT security is an area that is often the easiest place to cut.

"No matter what you're doing, whether it is electronic medical records or emails, there are certain things you have to do: You have to buy the equipment; you have the buy the licenses. The place where you can cut is security. You just plug it in and hope nothing bad happens," said Deas, IT manager at Gastrointestinal Associates and Endoscopy Center PA in Jackson, Miss.

"If you do that with an email system, you're going to get riddled with viruses. If you do that with an EMR system, you can end up a lot worse off than that," he said.

That's why Deas added sophisticated employee monitoring software and built a security culture that borders on Big Brother while building out electronic medical records at GI Associates. The practice, the largest gastroenterology group in Mississippi with 18 doctors and 250 employees, is two years into converting its medical files to electronic medical records, a $1 million-plus project. In business since 1980, the practice has voluminous records -- 10 rows of patient charts packed floor to ceiling in a room 70 feet by 50 feet. Next week GI Associates marks a milestone: the conversion of one row of files.

To get this far, Deas has upgraded IT infrastructure, studied paper chart workflows and more.

Supplemental security software for electronic medical records

The medical practice uses General Electric Co.'s Centricity EMR electronic medical record system. Deas supplements the built-in security features of Centricity (you can right-click a patient record to see who accessed it) with Spector 360, employee monitoring software from SpectorSoft Corp., the PC and Internet surveillance provider.

One of the big security holes was in the practice's scheduling software. Now, with the Spector software, the practice can search a patient name or ID not just to find out who accessed that record, when and for how long, but also to look at screenshots of what the person was doing when the record was accessed.

More on electronic medical records

Electronic health record adoption an issue for health care CIOs

Electronic medical records at risk of being hacked, report warns

To get the practice's network up to speed, Deas had to "beef up the WAN big time," replacing T1 lines that connected the practice's three offices with a 10 Mbps Metro E pipe between the main office and a remote site in Vicksburg, 70 miles away, and a 50 Mbps Metro pipe to nearby Madison, Miss., which also serves as the medical center's disaster recovery site. A Cisco 2 GB backbone has long replaced the "cheesy little switches" and hubs he found on arrival.

"I don't how much you could say was because of EMR and how much I would have done anyway. But EMR was a big push because before, all that was done on the computers was the scheduling. The doctors didn't really look at them that much."

The following are some of his tips for getting the people and processes in line for EMR:

  • Limit changes. Deas imposed a three-month trial period during which nothing but critical changes would be made to the basic EMR setup. "You don't want to be too responsive. Changes should take time to implement," he cautioned. So hiccups that prevented doctors from doing their jobs were changed immediately; anything procedural had to wait for three months.

    "If we went into this with the goal of making the doctors absolutely happy, we would have started with 16 different form sets [views] on the first day. All of them got on the new system and they all liked the new system, so the changes that we made were much smaller than they could have been."

  • Yes, you need a physician champion. "Physicians will yell at you in a heartbeat. They'll yell at their assistants even faster than that. They're not going to yell at another doctor. They'll have a calm discussion," Deas said.

    Deas credits his physician hero, Dr. Ronald P. Kotfila, a "tech guy" who likes computers and volunteered for the job, for solving 50% of the problems the doctors have and serving as a driving force on the project.

  • Map your business processes before you implement. "If you don't know your workflows, you are dead," Deas said. You must understand how paper is moved around, so you know what the EMR has to do.

    "We locked up about 10 people in a conference room for three days, literally. We had five charts in front of us, so we could see what we were talking about, and we went from the moment the patient gets referred by the doctor or calls in for an appointment through the entire procedure. We still look at those flow charts."

    A note on equipment: You don't need super-fast scanners. Patient files can run 200 pages, with multiple parts that must be entered separately."They can rarely scan more than three pages at a time. We got 15-page-per-minute scanners."

  • Monitor employees' behavior and "make sure your organization knows you are doing it." Deas calls this his "scaring the bejesus out of everybody" security policy, with no apologies. It's easier to prevent a problem than punish it, he points out. GI Associates, for example, does not allow Internet chat, so he makes sure employees know that if the monthly Spector 360 report on chat does not come up no data found, somebody is in trouble, he said. He issues lots of "little corrections," to keep the buzz going that IT is watching.

    "It is absolutely Big Brotherish. If I found out that my ISP was using something like Spector 360, I would blow a gasket, but work is work. There is no legitimate business reason to use it," Deas said. "We are dealing with people's medical records, which is about the most private thing you've got."

The biggest shock to him during the process: "How many people need access to those charts to do their jobs," said Deas, who was hired as a consultant by the practice four years earlier to lay the groundwork for EMR.

And the pleasant surprise: Aside from a few egregious offenders weeded out before the EMR implementation (such as a person running her own business on company time), there wasn't much bad stuff going on. But "until you check, you don't know," Deas said.

Let us know what you think about the story; email: Linda Tucci, Senior News Writer.

Dig Deeper on Small-business IT strategy