Security of data documentation – electronic health records and patient data

One of the most critical issues concerning the computerization of the healthcare system is data documentation security. The obligation to ensure both physical and electronic health records (EHR) and other types of healthcare data is largely on the medical institutions. In the following text, we’ll look at the conditions they must meet under the law and good practices. We’ll also present the life cycle of documents and suggest what standards should be completed by a software provider if you’re to entrust them with the digitization of your medical facility data.

Types of medical records

Medical records are collections of data and information regarding the process of providing health care services. They are divided into individual (internal and external) and collective.

Individual records are records of individual patients receiving health care services. Individual internal documentation is intended for the needs of a particular healthcare provider, while individual external documentation is dedicated to patients who may also need the assistance of other professionals outside of a single medical facility. On the other hand, collective records are the records of all patients or specific groups of patients receiving health services.

Steps in collecting and securing data documentation

Medical facilities process thousands of documents in various formats every day. These include test results, documentation created during medical appointments, as well as the operation and organization of the clinic or hospital. Every day, they are at risk of loss, theft, or security breaches. Therefore, regardless of the amount of collected data or the extent of processing of sensitive data, document protection is a de facto security requirement for every medical facility.

As the amount of data collected increases, managing information becomes more difficult. It should be based on three pillars – security, care and innovation. Therefore, it’s crucial for healthcare facilities to have systems to manage data documentation security and confidentiality efficiently.

To do this, it’s important to know the document lifecycle. It consists of the following stages:

Data generation

This phase relates to active documents, i.e. documents in use at any given time. Documents that are not archived and securely stored pose a severe threat because they can be misplaced or lost. Keeping an eye on their security is, therefore, a priority.

Secure data storage and archiving

The next phase concerns archiving unused healthcare documents. For example, the healthcare institution must keep records of patients who no longer receive medical care in a particular institution due to legal requirements. There is a considerable risk of being lost or made available to unauthorized persons if these documents are in paper form. A much better way of archiving this type of data is digitization. Assigning tags to them that allow indexing in the company’s database facilitates the organization, ensures order in the documentation, and gives a chance for better protection.

Use and sharing of information

Archiving data is essential, but what conditions it’s stored, secured and tagged in – indirectly affects its longevity and subsequent retrieval. Therefore, document management, appropriate permissions, assigning roles to users, version control, and audit methods are critical at this stage of the document life cycle.

Shredding of unnecessary documents

There comes a time in every healthcare facility when archived documents lose their power and become redundant, and their persistent storage generates unnecessary costs. In addition, these unnecessary documents, although they have only historical value and no more extended support of the treatment process, contain confidential data that can be misused. Thus, it’s essential to destroy them with appropriate security measures. In the case of digital health data, software overwriting, hardware (i.e., physical) destruction, certain software destruction, or a digital data shredder is used.

Who can access electronic health records?

It’s the responsibility of medical facilities to properly document all relevant information in a patient’s medical record related to their treatment. Although some of the medical records are still kept on paper, most healthcare providers have decided to go digital. The computerization of healthcare facilitates access to medical records for those entitled to them. However, regulations strictly regulate who can view, prepare, and change documents.

First, it may be the patient to whom the data refers. Additionally, it often happens that a patient authorizes his or her relatives to look into these records. Finally, the people who produce the medical records – the medical staff – have access to them.

Why is document security important?

Documents face many types of threats. These issues become especially important when sensitive data is involved. And that’s what we’re talking about when it comes to patient data and electronic health records. A breach can lead to data loss, but it can also result in a lawsuit or damage to the medical facility’s reputation for not taking appropriate care of the data. Therefore, in today’s world, document security should be a priority.

Ensuring that paper documents are sufficiently protected is very difficult. It;’s actually a much better solution to keep records electronically. Online solutions may be the most beneficial to further protect health records from computer hardware failure or theft. Software for electronic medical records are often SaaS (System as a Service) solutions. This means that the service (documentation software) doesn’t need to be installed on the computer. Instead, it’s available in the cloud. Thanks to this, it’s not physically connected to the hardware located in the medical facility. You can access it from any device.

Notably, cloud-based software also provides several security features. Although it’s not a comprehensive protection, the service provider takes care of the validity and compliance with regulations. However, it’s important to remember that the obligation to protect the records still rests primarily with the medical facility.

Electronic health records – general conditions and safeguards

Electronic or paper medical records are the type of documents that require special attention to security issues. But, unfortunately, this topic raises more and more doubts as we notice increasingly faster digitalization in the healthcare sector.

To protect medical records in the best possible way, you should first take care to limit access to them to authorized persons only. It’s also necessary to perform cyclical analyses of threats and take measures to minimize them. Besides, you should remember to develop and implement procedures to secure documentation and systems used for its processing.

An equally important issue is updating the software used in a given medical facility. To protect medical records, it’s also necessary to carry out regular inspections of their functioning and evaluate the effectiveness of the organizational as well as technical and IT methods of protection.

Let’s take a closer look at some samples of medical record threats and how to avoid them.

Unauthorized access protection

Threats:

• access by random people (patients in the waiting room or unauthorized employees, e.g. cleaning service)

• writing down access passwords on pieces of paper,

• social engineering attacks,

• remote attacks (viruses, Trojan horses, etc.),

• software errors.

Examples of security measures:

• individual accounts and passwords,

• two-factor authentication,

• protection against hardware theft,

• computer locking,

• automatic logout,

• physical and software monitoring,
  

• frequent software updates.
  

Providing constant availability of the information system

Threats:

• power failure,

• hardware failures (computer, internet connection, servers, etc.).

Examples of security measures:

• UPS,

• disk arrays,
  

• additional internet connections,
  

• multiplexed servers.
  

Protection against permanent data loss

Threats:

• hardware and software failures,

• power surges,
  

• disasters: fires, floods, hurricanes,
  

• accidental deletion of data,
  

• intentional data damage.
  

Examples of security measures:

• power supply protection – UPS,

• physical security – monitoring, locking doctors’ offices,
  

• backups,
  

• making sure all software is up to date.
  

The most crucial security of data documentation principle states that any information system is only as secure as its weakest, least secure component. Therefore, responsible maintenance of medical data documentation records requires not implementing some of the available security measures once but continuously maintaining all of them, monitoring and implementing improvements.

What types of data security can be implemented into medical facility software to keep it safe?

Data Encryption

Data encryption uses cryptography to ensure information security by designing sufficiently protective solid systems. The primary uses of cryptographic methods include:

• protection against unauthorized disclosure of information,

• protection of data transmitted between users,
  

• confirming user identity,
  

• verifying the identity of a program requesting access to resources,
  

• preventing unauthorized modification of data.
  

Data encryption is thus related to both methods of protecting files in computer resources and the process of securing communications. Therefore, entities involved in data exchange, processing, and storage – i.e. medical institutions or healthcare software – should use this type of protection.

Authentication/Authorization

Authorization confirms a given user’s authority to use the resources he or she is requesting. Authorization usually takes place after successful authentication. Access and corresponding authorizations are granted only after the user’s identity has been verified, i.e. after the authentication process has been carried out. Thus, a user can only connect to a specific service after providing a proper name and a particular password. Types of authentication include password, PINs, fingerprints, retinal images, or voice recognition.

Digital Signature

A digital signature is a message encrypted with a personal key and signed by an authorized user. It’s used to confirm an information’s content. The signature performs several functions:

• ensures the authenticity of the information,

• guarantees unquestionability of the information’s authorship,

• allows finding any unauthorized changes in the document (integrity).

These issues are fundamental in the case of medical records.

Software for the healthcare sector and data security

If you plan to digitize your medical facility or build healthcare software that deals with electronic health records and patient data, choosing a reliable business partner to carry out the entire process is essential. Adequately implemented data security strategies protect a medical facility’s information resources from cybercriminals and internal threats or human error.

It’s worth paying particular attention to whether a company you chose to work with:

• has proper knowledge of and experience with the provisions of GDPR and/or HIPPA,

• applies processes compliant with ISO and MDR requirements (for example, Revolve Healthcare follows the ISO 13485 requirements, as well as the IEC 62366 and IEC 62304 standards),

• is committed to data security,

• understands and is familiar with the healthcare software environment,

• applies best programming practices to maintain the high-quality services offered.

To sum up, the data security of medical records requires an extraordinary approach and personalized protection measures. Therefore, if you want to keep digital documents in your medical facility or patient data in your app, it’s worth asking a specialized company for help in their securing. After analyzing the life cycle of the documents, they will be able to advise on the best forms of data protection at every stage of their use.