Tuesday, May 4, 2010

A Secure EMR Transition

This is a nice piece written by a security expert that is making wild assertions that are likely to be true but I think there are far easier fruit to grasp. What I mean by this is that the article is full of the typical security banter about policy, procedure, least-privilege, etc. These are all good things, what bothers me is that these are said without a evidence that these are actually causing harm. Where as we have lots of evidence that more simple things like turning off an account of someone that just got fired is causing harm. That defining what is allowed and what is not, so that you know if your security is in control or not. Or a host of other times when an EHR is not used securely. But, the point is that this article is sound generic IT security.
To implement EMRs securely, organizations will need to replace their trust-based security method with an approach based on processes and policies. These processes and policies should give employees only the required access to confidential information they need to do their job, while providing a highly automated and efficient process for granting privileges when needed. More