Protecting Your Patients’ Information Against Unauthorised Access
Paper-based records have always been at risk of unauthorised access. In order to obtain access, however, the interloper has had to be in the presence of the records. Nowadays, remote access can mean that there is a potential risk to electronic health records from anywhere in the world.
The first line of defence against unauthorised access is the good habits of the staff. For example, The U.K. Department of Health advises that staff working in offices where records may be seen must:
- Shut/lock doors and cabinets as required.
- Wear building passes/ID if issued.
- Query the status of strangers.
- Know who to tell if anything suspicious or worrying is noted.
- Not tell unauthorised personnel how the security systems operate.
- Not breach security themselves.
Staff working with electronic records should additionally
- Always log-out of any computer system or application when work on it is finished.
- Not leave a terminal unattended and logged-in.
- Not share logins with other people. If other staff have need to access records, then appropriate access should be organised for them - this must not be by using others’ access identities.
- Not reveal passwords to others.
- Change passwords at regular intervals to prevent anyone else using them.
- Avoid using short passwords, or using names or words that are known to be associated with them (e.g. children’s or pet names or birthdays).
- Always clear the screen of a previous patient’s information before seeing another.
- Use a password-protected screen-saver to prevent casual viewing of patient information by others.
Source: Confidentiality: NHS Code of Practice, The Stationery Office, London, 2003
Protecting Your Patients’ Information Against Malicious Damage
Paper-based records have always been at risk of malicious damage. Fire and flood may be initiated deliberately.
Computers are attractive objects in themselves, both to thieves and also to people who write viruses to attack computers. In Salford, Greater Manchester, in the mid-1990s, one practice was so worried about theft from premises, that their entire computer system had to fit onto one laptop that could be removed at night.
Generally, however, whilst physical security is certainly an issue, the threat from viruses is a greater risk. In recent years, the NHSNet has been attacked and breached by the ‘I love you’ virus, and the Blaster worm.
Every health care organisation should have a security policy that takes full account of the need for confidentiality as well as authentication and integrity of the computerised patient record system. The security policy should take account of local circumstances and risks but should specifically address the points under the headings below:
- Security policy
- Security organization
- Asset classification and control
- Personnel security
- Physical and environmental security
- Communications and operations management
- Access control
- System development and maintenance
- Business continuity management
The policy should recognise the need for data entry to be restricted to properly trained and authorised people. It must take full account of the need for entries to be accurate, complete and attributed to the person responsible for the observations or interventions recorded. When considering the issue of authentication, all staff should be aware that they may be held liable for the content and accuracy of information that appears to have been entered by them or on their behalf. It is therefore important that the security features of the system and procedures followed by the practice combine to minimise the risk of a record entry being accidentally or fraudulently attributed to the wrong user.
It may be necessary to prove that an entry was or was not made by the person to whom it is attributed. This means that, since most record entries are logged as being the responsibility of the individual whose password is currently entered, it should never be acceptable for an entry to be made into a record when someone else has logged into the system. More generally, it is essential that all users:
- have a unique user identity and password;
- keep their password secret and do not divulge it to other users for any reason;
- change their passwords at frequent intervals;
- log out of workstations when their task at that workstation is finished and never leave a workstation logged in but unattended.
The policy should ensure that the organisation has a clearly laid out disaster recovery plan. This will need to address the temporary replacement of the organisation’s electronic functions with paper-based alternatives, the retention and subsequent entry of these temporary records into the electronic record system when it becomes available again and the extraction of essential information from ancillary systems such as any electronic appointment book’s backup.
Gillies AC (2006) The Clinicians Guide for Surviving IT, Radcliffe Publishing, Abingdon