In Case of Emergency: Securing “Break-the-Glass” Access Protocols
Editor’s Note: This is the fourth post in an ongoing series dedicated to the health care industry.
Links to previous posts:
- Introduction post: Through the Health Care Lens
- Second post: When Health Care Goes Online
- Third post: Phishing Health Care
Though reporting inconsistencies can make reliable statistics difficult to find, the current global pandemic has taken an enormous toll on health care professionals. At least 90,000 health workers around the world are believed to have been infected, with some sources estimating that the true count may be double. And the Centers for Disease Control (CDC) had documented more than 9,200 cases among U.S. health care personnel as of mid-April.
It’s never been more important for workers who are feeling sick to stay home, so many hospitals have faced staffing shortages that threaten to disrupt operations and the continuity of patient care. As hospitals activate emergency plans that call for enhanced patient screening and other triage procedures, some are also redistributing personnel to ensure they can maintain care standards even when they’re exceptionally crowded.
From an information security perspective, this means emergency access to electronic Protected Health Information (ePHI) within electronic medical record (EMR) systems is being granted much more often than usual.
The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities have mechanisms in place to ensure that this type of emergency access is available. HIPAA’s intent is to protect patients’ lives and well-being, especially in cases when access to critical health information might be threatened by power outages, cyberattacks or user authentication system failures. HIPAA also stipulates that the use of these emergency access procedures need to be monitored, especially since it represents a potential security vulnerability. Instances when emergency ePHI access is invoked always need to be logged, and the records created should be available for auditing.
What is “Break the Glass?”
Break-glass, or break-the-glass as it’s called within some EMR systems, refers to a procedure that enables a clinician or end user who doesn’t have access privileges to gain access to ePHI in emergency circumstances. The name comes from the old-fashioned manual fire alarms that required their users to break a pane of glass before activating the alarm. The idea was that accidental contact wouldn’t be forceful enough to break the glass, preventing the alarm from being triggered by mistake.
In EMR systems, break-the-glass protocols typically involve alerting and control mechanisms, such as a pop-up screen warning the data about to be accessed is sensitive and restricted. In some cases, a “double key-turn” procedure is required, in which an additional clinician or credentialed user must log in to approve the emergency access.
Establishing the right emergency protocols is a tricky balancing act: if it’s too easy to log into EMR systems this way, providers may be tempted to employ break-the-glass procedures every time there’s a forgotten password. But if logging in takes too long, patient lives could at risk in a mass casualty event where speed is of the essence.
Preventing Break-the-Glass Misuse
To keep emergency ePHI access procedures from being abused, each instance of break-the-glass access should be documented, and the audit trail made available for later review. Many systems can be configured to automatically notify a system administrator whenever break-the-glass protocols are invoked. But when emergency circumstances demand that clinicians adopt makeshift processes—for instance, if an extraordinary number of health care personnel are absent —this may place an untenable burden on IT security staff. Immediate review of all instances of break-the-glass access is often infeasible.
Nonetheless, stakeholders should keep in mind that if emergency EMR access protocols are being used more frequently than usual, the organization’s overall security posture—along with its ability to meet compliance requirements—may be impacted. It might become necessary to put additional tools in place to provide extra layers of data protection to safeguard patients and clinicians alike.
More specifically, health care organization could leverage a user activity monitoring solution like Forcepoint Insider Threat (FIT) to record interactions with patient data. FIT’s process collection capabilities can be used to automatically record all instances when break-the-glass protocols are activated, and full video replay of sessions can be done when contextual trends indicate there’s a need for further investigation. Forcepoint Data Loss Prevention (DLP) also supports auditing for access to sensitive data in EMRs, and policies can be set to block this data from being exfiltrated after emergency access was granted.
Extraordinary times call for extraordinary measures—to save lives, to protect patient privacy, and enable health care providers to rise to the challenge. At Forcepoint, we’re proud to be part of the solution.