269615 Preparing the information technology infrastructure to provide a secure and stable environment for the use of electronic health records (EHRs) and protected health information (PHI)

Tuesday, October 30, 2012 : 3:30 PM - 3:50 PM

Michael Harris, MS(HI), CISSP, WAPT , Department of Information Technology and Department of Health Management & Informatics, University of Missouri, Columbia, MO
Iris Zachary, PhD, MSHI, CTR , MO Cancer Registry & Rsearch Center/Dept. of Health Management & Informatics, University of Missouri, Columbia, MO
Jeannette Jackson-Thompson, MSPH, PhD , Health Management & Informatics, University of Missouri-Columbia, Columbia, MO
Background: Constantly changing legislative mandates such as HIPAA, HITECH and ARRA have provided a minefield of best practices with no detailed guidance on how to secure intersystem communications locally, between peers and up-line to federal agencies. To be in compliance with the ARRA HITECH Act, information technology infrastructure must be ready by the time data is transmitted, processed and stored. Rich but large datasets derived from electronic health records (EHRs) will require hospitals, clinics/physician offices, interlinked health exchanges and disease registries to collaborate to provide better and more streamlined data collection and communicate in secure ways. These collaborations foster a better continuum of care; secure infrastructure is critical for the further development and return on investment of EHRs.

Purpose: Describe benefits associated with integrating information security and information technology planning early on in preparing the environment for the use of EHRs and demonstrate how to transform high-level security and privacy mandates into operational best practices that reinforce secure data transfers of patient health information and communications between EHRs and disease registries.

Methods: We reviewed and analyzed the Missouri Cancer Registry and Research Center's current information infrastructure. We developed strategic steps to prepare the environment for new information technology use, including selecting secure messaging transfer software, and identified areas that needed to be improved to meet the increased data and information flow.

Discussion/Conclusions: Communicating with key stakeholders and technical implementation staff from the project onset, we were able to assure secure system design and secure messaging/data transfer between point-of-care clinical staff in multiple locations. This facilitated data aggregation from EHR sources and permitted encrypted data submission to authorized recipients. The requirement is not only to have the necessary information technology in place but also to create an environment that can support various applications needed to demonstrate meaningful use.

Learning Areas:
Communication and informatics
Other professions or practice related to public health
Public health or related laws, regulations, standards, or guidelines
Public health or related organizational policy, standards, or other guidelines
Systems thinking models (conceptual and theoretical models), applications related to public health

Learning Objectives:
1. Describe when and how to insert information security and privacy into your projects. 2. Discuss how to distill high-level security principles to operational rules. 3. Identify two or more Internet sources for best practice security guides. 4. Explain how to distill information in best practice security guides down to usable security methods and recommendations.

Keywords: Information System Integration, Public Health Informatics

Presenting author's disclosure statement:

Qualified on the content I am responsible for because: I am lead Principal Analyst & auditor for the information security and access management team at the University of Missouri, a Certified Information Security Practitioner CISSP #117627 and SANS certified Web application penetration tester. I have received SANS training in Computer Forensics and Incident Management. I teach information security policy for the Dept. of Health Management & Informatics and have worked with Missouri Cancer Registry staff to assess and improve their data security.
Any relevant financial relationships? No

I agree to comply with the American Public Health Association Conflict of Interest and Commercial Support Guidelines, and to disclose to the participants any off-label or experimental uses of a commercial product or service discussed in my presentation.

Back to: 4316.1: HIIT Innovation Part 2