Determining the right degree of employee access to your EHR, your network, and social media
By John Carruthers, staff writer, October 01, 2011Medical practices run best when organized efficiently — employees with clearly delineated and delegated roles, solid processes for delivering medical care, and clear avenues for following up with a patient. In the most successful practices, these processes are planned out well in advance, then improved and tweaked over the years. But as practices make the transition to using electronic heath records (EHRs) and digital archiving, the development of these processes can often feel grafted-on, rather than organic. Following some common-sense rules and ensuring that each employee’s level of access to different aspects of the practice’s computer system matches their job function can help practices achieve the efficiency often touted as one of EHR adoption’s biggest benefits.
Both within your office computer network and within your EHR system, determining proper levels for staff member access is vital. Just as there’s no reason for a front-office receptionist to walk back to the accounts receivable desk and start opening drawers, there’s no reason for that level of digital access to be available to members of staff working elsewhere. Recognizing the issue is part of the process, according to Daniel Siegel, MD, MS, president-elect of the American Academy of Dermatology, who has presented on EHR adoption at the Academy’s annual and summer meetings and is on the advisory panels for software makers Encite and Modernizing Medicine and for DermFirst, an EHR consultancy.
“It’s generally not that hard to compartmentalize different levels of access in your EHR system. Every vendor is pretty much aware that the medical assistant doesn’t have to have access to accounts receivable,” Dr. Siegel said. “Your billing people have to have access to everything, given their interaction with the insurance companies, and your physician partners and maybe an IT person should have administrative access.”[pagebreak]
Most larger EHR systems now offer built-in tiered levels of access, according to Rich Weber, an IT expert who has consulted nationwide on network security and who currently serves as director of IT for OcalaEye ophthalmology practice in Ocala, Fla. As a result, he said, even larger practices with greater-than-average turnover can easily manage levels of access in seconds with a few clicks.
“Inside the EHR, the permissions are set by administrator preferences. You set up a group of users with different permission levels; then you assign them. There will be one for nurses, one for doctors, and the rest of the employee categories,” Weber said. “When new employees come and go, you just drop them in and out of the specific boxes. That gives them their appropriate level of access within whatever your EHR is. “
Network security, Weber said, should run much along the same lines, through the practice’s IT manager or office head of technology. Most employees, he said, don’t need deep access to the network, and providing it offers zero upside for the increased risk.
“The Windows log-in credentials are what you use to get to the practice’s network. That’s also controlled by permissions managed through a directory of active users,” Weber said. “Based on the user and what their needs are, their permissions are dictated accordingly. All it takes is a few clicks of a mouse to remove an employee from the active directory.”
According to Peter J. Polack, MD, a Florida ophthalmologist who runs the Medical Practice Trends website and an accompanying series of podcasts, even those with full administrative access should tread lightly. Some physicians, he said, may accidentally alter network settings, creating additional work for IT employees or consultants. Worse, he said, some may do so unknowingly and suspect malicious influence, either from inside or outside the practice.
“For a lot of the network permissions, we left the decisions to our director of IT. There’s a lot of ‘need to know’ on who has access to what,” Dr. Polack said. “Anyone might mess things up if they go traipsing around in an area where they don’t need to be. As a result, even when updates for Java or Flash pop up while an employee logs on, it’s completely up to the IT director to decide if they’re able to run those updates.”
Apart from EHR and active-user permissions, steps should be taken to minimize risk to the network and to protected patient information. One might expect this to lead to tight restrictions on Internet access. Yet with benefit verification increasingly moving online, teaching the office system to parse permitted sites from prohibited ones can prove more difficult than expected.[pagebreak]
Dr. Siegel said his practice has tried restricting access, but warns that it can result in limiting access to sites staff that need to visit to verify patient insurance information and look up labs. “If you restrict access too tightly, it makes many of your processes difficult to function. We found it almost impossible. Sometimes if you restrict too tightly, it might block access to the pages you need. So we don’t have any restrictions other than really dangerous spots.”
Given time, Weber said, an IT consultant or employee should be able to install security parameters that allow for proper access.
“We have our own proxy servers set up. Rather than having a separate box that filters our stuff, we have watchguard firewalls that have the ability to serve as a proxy server. It’s basically a content filter based on discretionary topics. It will automatically bar you from sites that have certain topics in broad strokes, with exceptions made. You can allow anything that’s specifically medical to be caught in an exclusionary list so it’s not blocking everything with, say ‘breasts’ in the content,” he said. “What’s nice about doing a firewall is that you can be a lot more granular. Ours is pretty much turn on and turn off. You can imagine that the physicians and certain staff would have full access. You want to block the shopping sites, anything adult-oriented, any social networking. You want to keep everyone off those kinds of sites.”
In addition to active security measures, Dr. Siegel recommends taking advantage of the office’s servers to employ passive monitoring as a prophylactic measure against any malicious activity or future issues that may arise with or between employees.
“There is software that you can put on a server that monitors all traffic on all computers. As an employer, you’re entitled to see everything that everyone has done — employees give up privacy on their work computers during work hours,” he said. “Even if you don’t actively go through the log on a regular basis, at least record everything so that you can see what was viewed if there’s a complaint or an issue. We had a complaint one time that someone was surfing pornography on the Internet, and it turned out that someone had forgotten to log off and the cleaning crew had pulled up some dirty pictures. We could tell based on the time of day.”[pagebreak]
Recalling his days as a consultant, Weber said that, in the end, human error or carelessness is most often the biggest gap in security. As an example, he recalled a consulting job at a major university.
“I’ve done a lot of consulting across the country over the last few years, specifically on security. I was at a university, and they had firewalls everywhere, and passwords changing every 90 days, and restricted use for everything. But that was all for accessing the network offcampus. Once you were on campus, you had full access to almost everything,” he said. “And in terms of behavior, the IT department there were the biggest violators. They were downloading movies and songs and shopping — just crushing the network. People were hosting their own sites using the network. It was really, really bad. Your end user is why you have to have the same security inside and outside.”
As part of security inside, he said, it’s vital to train employees to lock their workstations when they step away from their machines even for a few minutes. To assist in this, many companies sell keyfob-sized proximity access keys that will log an employee out once they move a certain distance from their workstation. There are also fobs that generate a single-use login for employees. These options, Weber said, eliminate a great deal of user error.
“When you’re looking to eliminate security risk from weak passwords or employees not locking their stations, these options can make the lives of physicians and nurses a lot more comfortable. If your workstation is unsecured, anyone can walk up and gain access to not only protected information, but your office network. And if they’re any good with computers, they can do a lot worse,” he said. “That’s the number one violation I see across the board.”
Social media use
Social media is a powerful, popular new tool. It opens up marketing opportunities, new professional interactions, and a range of audio and video content. And it has little to no practical use for most practice employees during a workday, according to Peter Polack, MD, who runs the website Medical Practice Trends, and Daniel M. Siegel, MD, the American Academy of Dermatology’s president-elect and a frequent speaker on technology topics at its annual and summer meetings. Worse, Dr. Siegel contended, it tends to make a practice more exposed and vulnerable.
“I am aware of a situation where an employee decided to post a picture of a patient on their Facebook page,” Dr. Siegel said. “Rapid removal followed and the doctors only found out about it after one of the employees asked the office manager if it was okay to do that!”
Dr. Siegel said his practice takes a hard-line stance on social media as it relates to the workplace.
“The policy is basically that anyone posting anything related to their job is cause for immediate dismissal,” he said. “We’ve just said no Facebook.”
On the other hand, Dr. Siegel said, he provides an off-network computer in the staff lunch area for employees to use during breaks. The computer, using a completely separate dedicated connection, allows employees to indulge in social networking but only while away from their duties and disconnected from the office network.
One notable exception which highlights the importance of tiered access is seen in larger practices that dedicate resources to marketing. Dr. Polack’s practice employs a director of marketing who regularly employs social media for branding and promotional purposes.
“We leave the ultimate decision on social network access to our IT administrator, but for most employees there’s very little reason for any of the staff to be on any kind of social media while using work computers,” Dr. Polack said. “We have people like our marketing director, and those who might be working with the marketing director, who have access to social networking sites, but that’s about it.”
In terms of keeping the office network secure, setting up a second, non-connected one for personal and patient use can eliminate one of the biggest risk factors. Many physicians like to bring in computers from home. Allowing these to connect to the network, Rich Weber, director of IT for the OcalaEye ophthalmology practice in Ocala, Fla., said, is a huge security risk for the practice.
“We don’t allow the physicians in the practice to use their private machines to get on the network. You can’t control what’s on it, or how it’s used outside of the office. It could be compromised it could have malware on it,” Weber said. “If we don’t check the machine and have it under our control, we don’t want to be liable for what can happen if they get onto the network.”
For personal business, said Daniel M. Siegel, MD, the American Academy of Dermatology’s president-elect and a frequent speaker on technology topics at its annual and summer meetings, he and his partners use a separate connection to the Internet when they want access from personal computers while in the office. The investment, he said, is certainly worthwhile for any practitioner.
“It can be a good investment to hire an IT person to set up things correctly. You wouldn’t leave a door unlocked in your office, so you shouldn’t leave yourself with subpar security just because you don’t understand the technology,” he said.
Peter Polack, MD, who runs the website Medical Practice Trends, shared the story of a colleague who, while participating in online discussions of cases with colleagues, unwittingly put his network’s security at risk.
“Doctors sometimes will download software onto a network computer. There was a case one time where a doctor downloaded a file sharing program that a doctor’s forum was using to share pictures on different cases. It was a peer-to-peer application. It took on a life of its own and started spreading around the network,” Dr. Polack said. “In our practice, we even train the doctors to ask IT before they install something or update something. That can also extend to a doctor’s personal computer. If you have software like that and bring it into the office, there’s a potential security risk there. It’s just not following common-sense procedures.”
For a dedicated DSL line, separate from the work network, Weber said the cost for his practice’s offices amounted to $80 per month per site, in addition to the one-time cost of purchasing a wireless router.