Dermatology World October 2011 : Page-18
On the level Determining the right degree of employee access to your EHR, your network, and social media 18 Dermatology WorlD // October 2011 www.aad.org
On the level
BY JOHN CARRUTHERS
Medical practices run best when organized efficiently — employees with clearly delineated and delegated roles, solid processes for delivering medical care, and clear avenues for following up with a patient. In the most successful practices, these processes are planned out well in advance, then improved and tweaked over the years. But as practices make the transition to using electronic heath records (EHRs) and digital archiving, the development of these processes can often feel grafted-on, rather than organic. Following some common-sense rules and ensuring that each employee’s level of access to different aspects of the practice’s computer system matches their job function can help practices achieve the efficiency often touted as one of EHR adoption’s biggest benefits.
Both within your office computer network and within your EHR system, determining proper levels for staff member access is vital. Just as there’s no reason for a front-office receptionist to walk back to the accounts receivable desk and start opening drawers, there’s no reason for that level of digital access to be available to members of staff working elsewhere. Recognizing the issue is part of the process, according to Daniel Siegel, M.D., M.S., president-elect of the American Academy of Dermatology, who has presented on EHR adoption at the Academy’s annual and summer meetings and is on the advisory panels for software makers Encite and Modernizing Medicine and for DermFirst, an EHR consultancy.
“It’s generally not that hard to compartmentalize different levels of access in your EHR system. Every vendor is pretty much aware that the medical assistant doesn’t have to have access to accounts receivable,” Dr. Siegel said. “Your billing people have to have access to everything, given their interaction with the insurance companies, and your physician partners and maybe an IT person should have administrative access.”
Most larger EHR systems now offer built-in tiered levels of access, according to Rich Weber, an IT expert who has consulted nationwide on network security and who currently serves as director of IT for OcalaEye ophthalmology practice in Ocala, Fla. As a result, he said, even larger practices with greater-than-average turnover can easily manage levels of access in seconds with a few clicks.
“Inside the EHR, the permissions are set by administrator preferences. You set up a group of users with different permission levels; then you assign them. There will be one for nurses, one for doctors, and the rest of the employee categories,” Weber said. “When new employees come and go, you just drop them in and out of the specific boxes. That gives them their appropriate level of access within whatever your EHR is. “
Network security, Weber said, should run much along the same lines, through the practice’s IT manager or office head of technology. Most employees, he said, don’t need deep access to the network, and providing it offers zero upside for the increased risk.
“The Windows log-in credentials are what you use to get to the practice’s network. That’s also controlled by permissions managed through a directory of active users,” Weber said. “Based on the user and what their needs are, their permissions are dictated accordingly. All it takes is a few clicks of a mouse to remove an employee from the active directory.”
According to Peter J. Polack, M.D., a Florida ophthalmologist who runs the Medical Practice Trends website and an accompanying series of podcasts, even those with full administrative access should tread lightly. Some physicians, he said, may accidentally alter network settings, creating additional work for IT employees or consultants. Worse, he said, some may do so unknowingly and suspect malicious influence, either from inside or outside the practice.
“For a lot of the network permissions, we left the decisions to our director of IT. There’s a lot of ‘need to know’ on who has access to what,” Dr. Polack said. “Anyone might mess things up if they go traipsing around in an area where they don’t need to be. As a result, even when updates for Java or Flash pop up while an employee logs on, it’s completely up to the IT director to decide if they’re able to run those updates.”
Apart from EHR and active-user permissions, steps should be taken to minimize risk to the network and to protected patient information. One might expect this to lead to tight restrictions on Internet access. Yet with benefit verification increasingly moving online, teaching the office system to parse permitted sites from prohibited ones can prove more difficult than expected.
Dr. Siegel said his practice has tried restricting access, but warns that it can result in limiting access to sites staff that need to visit to verify patient insurance information and look up labs. “If you restrict access too tightly, it makes many of your processes difficult to function. We found it almost impossible. Sometimes if you restrict too tightly, it might block access to the pages you need. So we don’t have any restrictions other than really dangerous spots.”
Given time, Weber said, an IT consultant or employee should be able to install security parameters that allow for proper access.
“We have our own proxy servers set up. Rather than having a separate box that filters our stuff, we have watchguard firewalls that have the ability to serve as a proxy server. It’s basically a content filter based on discretionary topics. It will automatically bar you from sites that have certain topics in broad strokes, with exceptions made. You can allow anything that’s specifically medical to be caught in an exclusionary list so it’s not blocking everything with, say ‘breasts’ in the content,” he said. “What’s nice about doing a firewall is that you can be a lot more granular. Ours is pretty much turn on and turn off. You can imagine that the physicians and certain staff would have full access. You want to block the shopping sites, anything adult-oriented, any social networking. You want to keep everyone off those kinds of sites.”
In addition to active security measures, Dr. Siegel recommends taking advantage of the office’s servers to employ passive monitoring as a prophylactic measure against any malicious activity or future issues that may arise with or between employees.
“There is software that you can put on a server that monitors all traffic on all computers. As an employer, you’re entitled to see everything that everyone has done — employees give up privacy on their work computers during work hours,” he said. “Even if you don’t actively go through the log on a regular basis, at least record everything so that you can see what was viewed if there’s a complaint or an issue. We had a complaint one time that someone was surfing pornography on the Internet, and it turned out that someone had forgotten to log off and the cleaning crew had pulled up some dirty pictures. We could tell based on the time of day.”
Recalling his days as a consultant, Weber said that, in the end, human error or carelessness is most often the biggest gap in security. As an example, he recalled a consulting job at a major university.
“I’ve done a lot of consulting across the country over the last few years, specifically on security. I was at a university, and they had firewalls everywhere, and passwords changing every 90 days, and restricted use for everything. But that was all for accessing the network offcampus. Once you were on campus, you had full access to almost everything,” he said. “And in terms of behavior, the IT department there were the biggest violators. They were downloading movies and songs and shopping — just crushing the network. People were hosting their own sites using the network. It was really, really bad. Your end user is why you have to have the same security inside and outside.”
As part of security inside, he said, it’s vital to train employees to lock their workstations when they step away from their machines even for a few minutes. To assist in this, many companies sell keyfob-sized proximity access keys that will log an employee out once they move a certain distance from their workstation. There are also fobs that generate a single-use login for employees. These options, Weber said, eliminate a great deal of user error.
“When you’re looking to eliminate security risk from weak passwords or employees not locking their stations, these options can make the lives of physicians and nurses a lot more comfortable. If your workstation is unsecured, anyone can walk up and gain access to not only protected information, but your office network. And if they’re any good with computers, they can do a lot worse,” he said. “That’s the number one violation I see across the board.”
Read the full article at http://digital.ipcprintservices.com/article/On+the+level/849229/82972/article.html.