Should we upgrade our network security before implementing an EHR?

Health IT Adoption Toolbox

Should we upgrade our network security before implementing an EHR?

It is critical that your local network have the bandwidth and security to support your EHR system.
Some areas to consider as part of your EHR planning include:
1. Capacity and performance. Estimating bandwidth requirements can be complex and depend on a number of different factors, such as number of users, locations, real-time transactions, hardware and storage technology. It is best to work directly with your EHR vendor to determine requirements.
2. Perimeter protections. Higher valued assets justify more robust protection. If a firewall is not part of your Internet gateway, then one must be installed. Installation of recent patches, upgrades and firmware versions should be verified. The firewall rule set should be audited to ensure only legitimate traffic is being permitted to pass on and off the network. Delete any rules that allow file share unless there is a critical business purpose.
3. Intrusion detection. Install an intrusion detection system (IDS) to drop anomalous traffic that matches the 'signature' of well known network attacks.
4. Network segmentation. Consider segmenting the network to isolate the EHR system along with other systems requiring access to the EHR. The purpose is to remove connectivity between the EHR and other systems whose users do not require access to the EHR.
5. Directory audit. Audit Active Directory structure and policy to ensure that workstations access to the EHR system complies with good security standards. Users should be properly authenticated with strong passwords, smart cards or tokens before accessing the workstation or domain resources.
6. Privilege review. Clinical users of EHR systems require few if any administrative rights to the EHR. Review all existing user privileges. Where feasible, employ Active Directory to centrally manage user rights.

Tools:

HIPAA Security Series - Basics of Risk Analysis and Risk Management (PDF - 352KB) - Developed by Center for Medicare & Medicaid Services (2007). This tool includes a review the Security Rule required implementation specifications for Risk Analysis and Risk Management and the basic concepts and steps involved.

Resources:

Reassessing Your Security Practices in a Health IT Environment: A Guide for Small Health Care Practices (PDF - 109KB) - From the Office of the National Coordinator (ONC). This guide is intended to assist small health care practices in reassessing their existing health information security policies in adopting and implementing EHRs. This guide poses questions that your practice can use to identify appropriate safeguards and conduct risk assessments to secure electronic health information.

Developed by the Health Resources and Services Administration as a resource for health centers and other safety net and ambulatory care providers who are seeking to implement health IT.

About

Health Information Technology Toolboxes help health centers, safety net providers, and ambulatory care providers with electronic and online resources and technical assistance to improve patient care. More>

Stay Informed

Comments?
E-mail the HealthIT e-mail box: healthit@hrsa.gov