When you started working in your current office, you probably didn’t need a key to every door in the building to do your job. You also probably didn’t need to go to the hardware store and create a custom key for every single door that you do need to enter. But for some healthcare organizations, their EHR security is similarly inefficient. With the help of Epic’s templates and a strong governance structure, you can remove a lot of the security hurdles that slow down your team. A security assessment is your first step.
When should you have an assessment?
I recommend a security assessment for any organization that started its security implementation before Epic established a linkable template system for users. I’ve worked with organizations that have completely customized user records, which is much less efficient and requires more resources to maintain. Implementing linkable templates and using the subtemplate feature helps standardize access for similar users and facilitates optimization efforts.
Most organizations have an established governance structure, but evaluating the policies and procedures to assure a sound security foundation can be beneficial. Clearly defined change control processes and identifying groups responsible and accountable for decisions is essential to avoid potential unintended consequences of unilateral decisions.
What does a security assessment entail?
As the security assessors, the first thing we do is look at the organizational structure. Who are the decision makers? What are the processes? What are the IT relationships with compliance? How open is communication? Is the organization standardized? How are records maintained and documented? There are a lot of questions, but the answer to each of them is important.
One of the first things we consider is the organization's philosophy. By that I mean what an organization’s strategy is for implementation of profiles, security classes, work rule, and engine rule, along with how that fits with Epic’s recommendations so that future upgrades and optimizations are more easily implemented. Next we'll consider pain points for maintaining and supporting a dysfunctional security foundation.
One of the main benefits of a security assessment and the move toward standardization, using templates, and realigning profile strategy is that it makes day-to-day support easier and more efficient. I’ve seen organizations that had over 50 security tickets a day. Some of them were simple issues, but even simple fixes take time and use valuable resources.
An assessment typically involves evaluating the organizational security foundation, governance structure, and specifics pertaining to each application. This is followed by a detailed report of those findings, optimization recommendations, and potential benefits for that specific organization.
Additional security-related training for staff is often needed in order to facilitate optimization recommendations. This is dependent on the organization, established workflows, and knowledge and experience of the IT staff as well as the extent of the optimization work.
Consolidation, standardization, and centralized control of security-related changes are general recommendations for all organizations as the foundation of a sound security structure. Another general recommendation is an established strategy and tight control of the workflow engine.
Interested in getting started on your EHR security assessment or learning more about improving your EHR?