Kaiser Permanente’s EHR System, Term Paper Example

Kaiser Permanente utilizes an information system referred to as Kaiser the Clinical Information System (CIS), which is an electronic health record system developed by its employees in Colorado. The main purpose of this system to simplify information transfer across the company’s several regions. Although this system was designed to deal with the complete information set that the company manages, it is currently only useful for tracking outpatient medical office data (Shafrin, 2010). As a consequence, the system was further developed into what is now known as KPHealthConnect, which is essentially an off-the-shelf electronic health record program that has been modified for Kaiser Permanente’s use. This system is more comprehensive and includes listings of personal health records, outpatient practice management systems, outpatient clinical data, inpatient billing information, inpatient pharmacy orders, inpatient administrative systems, and inpatient clinical data.

Since it is essential to protect sensitive patient information, it would be ideal to utilize a two-factor authentication method. While it is certainly necessary to utilize username and password authentication for these systems, it would be beneficial to supplement this authentication using a second factor. Some systems can include use of a digital certificate, device ID or risk-based authentication, or biometrics. However, some companies believe that their information is protected to the highest extent if their users are provided with a one-time password with two factor authentication (Pham, 2014). Ultimately, many health care professionals believe that the biggest threat to a security breach is the use of weak passwords; using a one-time password with two factor authentication solves this pertinent issue.

Even in a company as large as Kaiser Permanente, it would be feasible to implement this authentication method. For a security breach to occur, the hacker must first be able to enter the email inbox of an employee or sneak a look at their phone. While this is certainly possible, it is significantly less likely than simply finding the password written down around the employee’s desk space or guessing it based on the employee’s likes and hobbies. Furthermore, if the password that is generated upon each request is a mix of capital and lower case letters, numbers, and symbols, it will be nearly impossible to guess the password, which is strengthened by the fact that it is changed each time the employee wishes to gain access to the health record system.

The main access control policy that is relevant to this authentication method is the use of IP access controllers. To ensure that the patient information is optimally protected, it would be useful to prevent its accessibility from points outside of Kaiser Permanente. This will prevent employees from being able the access this information on their own outside of work without permission; to do so, they will be required to check out a company laptop, which will enable Kaiser Permanente to track the source of a security breach if it occurs. Furthermore, a hacker who is not affiliated with the company and able to gain access to an employee’s email inbox and login will not be able to access this data from their personal computer. This is an essential protection because it ensures that the information is protected from all angles, which is necessary for a company as large as Kaiser Permanente that has amassed a large amount of patient data over the years. Ultimately, IP access control is the only access control methodology I would consider using for my system because due to the protection provided by the one-time password with two factor authentication process, this method is supplementary to the security offered.

Access control should be administered and controlled by Kaiser Permanente’s IT department, but department manager’s should also have some power to work as a checks and balances system to ensure that the IT department isn’t accessing this information for their own personal gain. The department managers will be responsible for determining who will have access to Kaiser Permanente’s electronic health record system. They will then be sent to the IT department to develop a suitable username and to learn how to access the system. To ensure safety, each user will be provided with a username that is completely numerical; each username will begin with their birth month followed by the last four numbers of their social security number. Therefore, the employee will be encouraged to keep his or her username private, making unwanted security breaches even simpler to prevent.

Access control will be regulated through the employee’s cell phone if the company has provided the employee with one for work purposes. Otherwise, access control will be regulated through the employee’s email address. When the employee logins into the system, he or she will type the username into the electronic record system access page and hit send. They will then be sent an email or text message with the password, and be prompted to enter it on the electronic health record system access screen. A wrong password entry will notify the IT department, who will be responsible for determining whether there was an attempt to access the patient information by a hacker or whether it was a failed attempt by an employee to enter the system.

References

Pham T. (2014). Two-Factor Authentication for Electronic Health Record (EHR) Apps. Retrieved from https://www.duosecurity.com/blog/two-factor-authentication-for-electronic-health-record-ehr-apps

Shafrin J. (2010). Kaiser Permanente’s EHR System. Healthcare Economist. Retrieved from http://healthcare-economist.com/2010/12/20/kaiser-permanentes-ehr-system/