Time for an Epic security overhaul?
Plunging into the intricacies of Epic's security templates isn't easy, but the payoff is big.
Healthcare organizations that have been running Epic for five or more years without a full overhaul of security are probably due for one. It may be tempting to kick that can down the road, but security overhauls are critical for minimizing a number of significant risks, and achieving some real benefits.
Security overhauls aren't fun or easy, and tend to be bigger projects than IT leaders initially estimate. Unless an organization has multiple dedicated security analysts on staff — few do — overhauls usually require bringing in some outside help.
But the effort put into a solid security overhaul can pay for itself many times over just in terms of dodging bullets. An Epic system with security weaknesses can invite data breaches, HIPAA violations, out-of-license practicing, and missed co-signs and supervision requirements. Where security is unnecessarily restrictive, it can lead to inefficiencies and cause clinicians and operating staff to overlook critical data.
At the same time, a thorough security tune-up can actually improve performance in all areas of the organization. An overhaul often leads to end users getting new access to useful tools, reports and dashboards that they had been unnecessarily locked out of and may not even have known about. And they usually end up with a cleaner workspace freed of tabs and other clutter that are of little relevance to them, along with a smoother workflow and reduced click burden.
Include a security tune-up
A security tune-up is often part of an Epic Refuel. Because of the tune-up's impact on the EMR system and EMR users, we frequently encourage addressing security first during a Refuel.
At the core of a security overhaul is a thorough, careful examination of all the Epic security templates, which spell out which users in which security classes have access to which data in which modules. That's a big chore, and it's made bigger by the fact that organizations tend to have far more templates than they need — sometimes twice as many.
Why so many unnecessary templates? For one thing, organizations often aren't quite as rigorous as they could be in naming and documenting templates. So security analysts, especially those who are new to the organization, may simply be unaware when they create a new template that they're duplicating one that already covers the same ground. One example: A group of care providers may be named one way in a template that covers one of their roles, but end up being named differently in a separate template that addresses a slightly different role for the same group, even though the security aspects of the two roles are identical. Why give nurses one template in one department, and a second template for a different department, if they're doing roughly the same job in both departments?
A good overhaul will typically reduce the number of templates by 30 to 50 percent. That means that future work on security will go more quickly and efficiently. But more importantly, the process of poring over the templates one by one, line by line, allows tuning each template to provide exactly the right access in the right situations. For each template, the analyst needs to consider whether every point of access granted by the template is really required for that role, and whether there are other points of access that would be useful and appropriate but that aren't currently provided. The result will be tighter security overall, and yet improved access in ways that will support performance.
It's a lot of work, and not just for security analysts. Security touches every part of the organization, and all those parts interact. That means physicians, nursing, pharmacy, billing, hospitality — everyone needs to have members on the security overhaul team, working with analysts to make sure the templates reflect everyone's needs and minimize unnecessary obstacles. A siloed approach won't work in security.
All this can be a bit overwhelming for in-house security analysts, who after all have plenty to do outside of overhauls. Plus they tend to be in short supply in healthcare organizations, and often leave to join consulting firms where they can work with multiple clients remotely from home.
That's why Leidos often comes in to help with overhaul projects, especially when it comes to getting the project rolling and establishing priorities. Many clients have found that taking advantage of our analysts' extensive experience with all the intricacies of Epic security can be a real shortcut to a successful overhaul.
The benefits can be measured in workflows improved and bullets dodged.