HealthData Management, November 7, 2011
BEI Commentary: This article reflects the whole point of Core Measure 15 – Risk Analysis. You need to make sure that you have put in place reasonable security procedures regarding your IT Infrastructure. Clearly, the practice in this article was caught off-guard.
Earlier this year, Janet Spangler got an object lesson in the tension between data access and security. A new patient at Family Medical Associates of Raleigh (N.C.) toted his own laptop into the exam room, recalls Spangler, administrator at the five-physician group practice. When the physician arrived, the patient–a computer technician–turned his laptop around, revealing he had just gained access into the group’s ostensibly secure wireless network, then admonishing the physician about the need to improve access controls. “We have since modified our wireless system,” Spangler says. “But the experience left us uneasy.”
No sensitive information was exposed during the interlude, but the episode gives insight into why Family Medical Associates takes what Spangler describes as “a conservative approach” to data access. Not only did the group bolster its firewall against unwarranted outside intrusion, it put limits on what its own staff can see on the EHR, an ambulatory system from Greenway Medical Technologies that has been in place for five years. The practice even takes the extraordinary step of maintaining any employee medical records on paper-in a locked cabinet-and not on the EHR. “We can restrict access to our online charts, but you don’t want records inappropriately accessed by other staff,” she explains. “We are all for access if it results in better care. But we are quick to limit access if there’s a risk of a security breach.” Read More