In Case of Emergency: Securing “Break-the-Glass” Access Protocols

AZ Sint-Lucas Hospital story

The Health Insurance Portability and Accountability Act (HIPAA) requires that covered entities have mechanisms in place to ensure that this type of emergency access is available. HIPAA’s intent is to protect patients’ lives and well-being, especially in cases when access to critical health information might be threatened by power outages, cyberattacks or user authentication system failures. HIPAA also stipulates that the use of these emergency access procedures need to be monitored, especially since it represents a potential security vulnerability. Instances when emergency ePHI access is invoked always need to be logged, and the records created should be available for auditing.

From an information security perspective, this means emergency access to electronic Protected Health Information (ePHI) within electronic medical record (EMR) systems is being granted much more often than usual. 

Break-glass, or break-the-glass as it’s called within some EMR systems, refers to a procedure that enables a clinician or end user who doesn’t have access privileges to gain access to ePHI in emergency circumstances. The name comes from the old-fashioned manual fire alarms that required their users to break a pane of glass before activating the alarm. The idea was that accidental contact wouldn’t be forceful enough to break the glass, preventing the alarm from being triggered by mistake.

What is “Break the Glass?”

Establishing the right emergency protocols is a tricky balancing act: if it’s too easy to log into EMR systems this way, providers may be tempted to employ break-the-glass procedures every time there’s a forgotten password. But if logging in takes too long, patient lives could at risk in a mass casualty event where speed is of the essence.

In EMR systems, break-the-glass protocols typically involve alerting and control mechanisms, such as a pop-up screen warning the data about to be accessed is sensitive and restricted. In some cases, a “double key-turn” procedure is required, in which an additional clinician or credentialed user must log in to approve the emergency access. 

To keep emergency ePHI access procedures from being abused, each instance of break-the-glass access should be documented, and the audit trail made available for later review. Many systems can be configured to automatically notify a system administrator whenever break-the-glass protocols are invoked. But when emergency circumstances demand that clinicians adopt makeshift processes—for instance, if an extraordinary number of health care personnel are absent —this may place an untenable burden on IT security staff. Immediate review of all instances of break-the-glass access is often infeasible.

Preventing Break-the-Glass Misuse

More specifically, health care organization could leverage a user activity monitoring solution like Forcepoint Insider Threat (FIT) to record interactions with patient data. FIT’s process collection capabilities can be used to automatically record all instances when break-the-glass protocols are activated, and full video replay of sessions can be done when contextual trends indicate there’s a need for further investigation. Forcepoint Data Loss Prevention (DLP) also supports auditing for access to sensitive data in EMRs, and policies can be set to block this data from being exfiltrated after emergency access was granted. 

Nonetheless, stakeholders should keep in mind that if emergency EMR access protocols are being used more frequently than usual, the organization’s overall security posture—along with its ability to meet compliance requirements—may be impacted. It might become necessary to put additional tools in place to provide extra layers of data protection to safeguard patients and clinicians alike.