The healthcare industry is perhaps the most far behind in terms of adopting information technology. In addition to stimulating the economy, the American Recovery and Reinvestment Act (ARRA) allocates substantial funding to help the healthcare industry implement Electronic Medical Records (EMRs) and supporting IT infrastructure. Although the ARRA will help bring healthcare into the 21st century, it may create more problems.

The Time is Now, a recent study by Deloitte, finds the healthcare industry is not prepared to deal with security challenges that will result from the ARRA stimulus. EMRs and information technology, like computers, internet connections, and local office networks provide many benefits, and are critical for physicians that want to participate in the ARRA stimulus package. However, a computerized office introduces security risks that physicians and their staff will have to address.

Many people are familiar with stories about hospitals getting hacked, or leaking confidential patient information onto the internet. The risk of data theft or loss is real, even for small practices. Losing or having your data stolen can have terrible consequences for your practice. If a hacker or malicious software steals or destroys your data, you may not be able to see patients. As a result, you could go out of business or face prosecution for HIPAA violations.

This shouldn’t scare you away from implementing an EMR or participating in the ARRA stimulus package. Managing security risks is not difficult, but it does require some planning and foresight. HIPAA regulations require that your practice create a “security management process,” that includes a risk analysis and risk management plan.

A risk analysis will help you determine the information security risks your practice faces. The most common risks are data loss through hardware failure, malicious acts, or disasters such as fires or floods. Risk management plans typically include local and offsite backups, deploying antivirus software, keeping your computers and software up to date, as well as staff education plans.

If you currently have an EMR or think you may purchase one soon, be sure to spend some time reading up on risk management. Just like you wouldn’t drive your car without a seatbelt, you shouldn’t have a computerized office without a risk management plan. If you’re unsure about how to start, contact your local IT support professional or EMR vendor. They will be able to help you draft a risk management plan, or at least point you in the right direction.

The Office of the National Coordinator for Health Information Technology voted to approve the meaningful use recommendations from the Health IT Policy Committee last week. The HITECH Act requires physicians to use a “certified” EMR system in a “meaningful way” to qualify for reimbursement payments. The recommendations contain specific functionality that EMR systems must provide. Furthermore, physicians must actually implement and use these features in their practice on a daily basis to show meaningful use of their EMR system.

E-prescribing, checking for drug-to-drug interactions, and maintaining an updated problem list are among the approved meaningful use criteria. David Blumenthal, the National Coordinator for Health IT, must approve the recommendations before submitting them to the Centers for Medicare and Medicaid Services (CMS). CMS will use these recommendations to make the meaningful use rules, due in December.

In addition to meaningful use, physicians must purchase and implement a “certified” EMR system. Previously, many thought the committee would choose the Certification Commission for Healthcare Information Technology, otherwise known as CCHIT, as the sole certifying body. The Health IT Policy Committee, however, advocated that multiple organizations perform “HHS Certification.”

The committee recognized CCHIT certification as “excessively detailed.” The committee criticized CCHIT as giving “too much attention to specific features and functionality.” Instead, the committee wants to limit certification to the minimum set of criteria to fulfill the meaningful use requirements in addition to security and privacy concerns.

The committee proposed that “HHS certification means that a system is able to achieve government requirements for security, privacy, and interoperability, and that the system would enable the Meaningful Use results that the government expects. HHS Certification is not intended to be viewed as a ‘seal of approval’ or an indication of the benefits of one system over another.” However, the committee thinks more comprehensive certification of EMR, like what CCHIT provides, should continue pending market demand. The committee does not want CCHIT to be a requirement for Medicare and Medicaid incentive payments.

The Health IT Policy Committee made the right decision with respect to requirements for certified EMR systems. Selecting criteria that addresses security, privacy, interoperability, and meaningful use requirements makes sense. In addition to being “excessively detailed,” CCHIT has many other drawbacks, such as its hefty application price tag and limited participation by EMR vendors. Choosing CCHIT as the certification criteria would have eliminated many smaller vendors from the market and potentially jeopardized the entire stimulus act.

A recent article reports that a computer virus compromised thousands of patient records belonging to a Canadian hospital. The virus attacked Netcare, Alberta Health Service’s electronic health record earlier this year. The virus was Trojan horse similar to Coreflood, which aims to steal data and send it over the internet to a hacker.

The hospital was able to remove the virus once it was detected. They do not believe the Netcare system itself was compromised; rather it seems the virus accessed data through an infected client computer. Although the hospital is not sure any data was actually stolen, they notified over 11,000 patients whose information may have been leaked.

Despite media coverage, public awareness, and complex information security laws like the Health Information Portability and Accountability Act (HIPAA), computer viruses are still a problem. Viruses and other malicious software are a threat to any business, but the healthcare industry should be especially vigilant because medical data is so sensitive.

No system can be 100% safe against viruses and malicious software. However, there are some simple precautions you can take. First and most important, be sure every computer at your office is running antivirus software. Be sure that your antivirus is set to auto-update everyday and scan every night if possible. AVG has great software that will protect against viruses as well as spyware.

Second, make sure your computer is protected by a firewall. Firewalls help block unwanted traffic, and they can prevent viruses from getting to your computer. Any Windows computer running XP Service Pack 2 or later has a built-in firewall. There are many third-party firewalls available as a stand-alone program, or built into antivirus suites. Whichever firewall you use, make sure it denies any connections you don’t explicitly approve.

Third, make sure your computer automatically updates. Keeping your software current is critical because updates can fix vulnerabilities in the software that viruses or hackers can exploit. You can set Windows to automatically download and install updates for you. In most cases, your computer will restart itself, and you won’t have to do anything.

Finally, don’t let the threat of viruses and malicious software discourage you from purchasing an electronic medical record or using computers at your office. Although you should be concerned about the security of your patient’s data, observing these simple precautions should keep you safe. Electronic medical records and computers offer tremendous benefits to your practice that far outweigh the risks of viruses.

Have you ever thought about what would happen to your practice if some kind of disaster occurred? What would you do if a fire destroyed your office? How would you respond if one of your computers suffered a hard disk crash? Would you lose your patient records? These are issues most people only think about once it’s too late. Statistics show that most businesses never open their doors after a catastrophic event. You need a disaster recovery plan to protect your practice and your patients.

There are several critical elements you need to consider in your plan. First, conduct a survey and analysis of your office. Make a list of all hardware and data stores. Keep track of the software you use, not just the data. Belarc Advisor is a free program that will create a list of all the software and settings on a computer. Add these reports to your recovery plan.

Create a diagram that shows the office setup; include information about printers, computers, networking gear, and other important hardware. If you have to rebuild your office, the diagram will speed up recovery. Include as much detail as possible; that way you can hand the diagram to an IT professional and have them set up the office for you. Be sure to purchase business insurance. Your plan won’t help if you don’t have the financial resources to rebuild.

Second, backups are the most important part of your plan. You should have both local and offsite backups. Local backups are handy for minor emergencies, such as disk crashes or accidental deletions. Ideally, you should have a local backup for each computer, in addition to your main data store or server. We prefer external two-terabyte USB drives for local and offsite backups. Be sure to include email and CD-ROM images of all your software. Consider encrypting your local and offsite backups, that way if someone steals the drives they won’t have access to your data.

Offsite backups are critical for disasters, such as fire, flood, or theft. For best results, use an offsite backup that will give you physical access to the storage media so you can quickly restore your data. Offsite backups send files over the internet, so you are limited by bandwidth. Make sure your office has high speed internet and that your backup includes the most critical data. You may want to periodically update your offsite backups to include email and software images, since these are usually too large to transfer over the internet.

Third, be sure you monitor the backups. Monitoring is critical; you should get daily reports indicating that your backups ran, and whether or not they were successful. Backups that aren’t functioning provide a false sense of security.

Finally, if you don’t have an Electronic Medical Record (EMR), get one. Paper charts are almost impossible to back up. Paper is a fire hazard, and even the fire sprinklers could ruin your charts. EMRs are infinitely more survivable, and key to your disaster recovery plan.