EXECUTIVE SUMMARY
New requirements under the HITECH Act and HIPAA are proving to be game-changers when it comes to vendor relationships and breach reporting requirements. Meanwhile, health providers must cope with portable electronic devices that are gradually making their way into the workplace. Experts weigh in on what hospital systems need to do to protect their patient data.
Amid the sweeping healthcare regulatory reform measures that have been put into place over the past year, the responsibility of healthcare providers to protect the integrity and privacy of patient data has become more important than ever. Yet, for reasons that are partly regulatory and partly technological, the challenge of securing patient data has also become more challenging today than ever before.
As hospitals scramble to meet meaningful use requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, they must also contend with more stringent reporting requirements. In addition, responsibilities of health provider business associates and subcontractors have been broadened under proposed rules, issued in July, that are designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA). The proposed rulemaking would also expand an individual's rights to access their information and restrict certain types of disclosures of protected health information to health plans. In short, all entities with access to patient data now have more skin in the game.
In the technology arena, more data is on the move today, the result of the relentless waves of new handheld devices that clinicians often want to bring into the workplace. Meanwhile, the sheer volume of electronic data that is resulting from the transition to electronic records is requiring healthcare providers to rely more heavily on third-party vendors.
YOU SHOULD BE DOING SECURITY BECAUSE IT IS THE RIGHT THING TO DO, NOT BECAUSE THE LAW SAYS YOU HAVE TO DO IT.-JENNINGS ASKE
Given the volume of electronic patient data involved, it's perhaps not surprising that breaches are occurring. According to the Department of Health and Human Services’ Office of Civil Rights (OCR), 146 data breaches affecting 500 or more individuals occurred between Dec. 22, 2009 and July 28, 2010. The types of breaches encompass theft, loss, hacking, and improper disposal; and include both electronic data and paper records. To combat such data security violations in the future, experts interviewed for this article say hospitals must focus more attention on encryption, vetting of third-party business associates, and educational efforts to help clinicians recognize the importance of complying with their hospitals’ security measures.
SECURITY: THE LONG VIEW
CIOs charged with securing data in their organizations are finding that successful data security depends on top-down support and on a comprehensive strategy. It also helps to rely on an existing framework of standards for guidance, they say.
Jim Elert, CIO of shared services at the 47-facility Trinity Health, Novi, Mich., says that security is much more than a matter of passwords and firewalls. When building a security program, it's necessary to take a comprehensive view that accounts for governance, policies, and education, so that people who must use the system understand it, he says.
A similar view is expressed by Jennings Aske, chief information security officer at the Boston-based Partners Healthcare. He says healthcare organizations should not view security as primarily a regulatory-driven matter, but one that is intrinsic to meeting the organization's business objectives. “One of the big things in our organization, which I have preached since day one, is to stop chasing the law,” he says. “When organizations do something because it is regulatory-driven, they are missing the big picture. You should be doing security because it is the right thing to do, not because the law says you have to do it.”
At a time when the proliferation of new regulations is putting extra demands on hospital IS departments, some IT security officers have found it helpful to rely on existing standards to help ensure compliance. According to John Kahanek a principal at the Falls Church, Va.-based CSC who also serves various clients as a chief information security officer, standards offered by the International Organization of Standardization (ISO) and the National Institute of Standards and Technology (NIST) offer useful frameworks that can be used together. In addition, the Health Information Trust Alliance (HITRUST) offers healthcare industry-specific standards, and closely mirrors ISO standards, he says. According to Kahanek, ISO standards are a useful framework for IT. NIST standards are referenced in HIPAA. When used together, the NIST standards can address specific details of the ISO framework, he says.
According to Aske, Partners Healthcare has embraced both NIST and ISO standards, which serve as a framework for the health organization's own policies. “As an organization, we are embracing those, because if we embrace those with our new technology projects, or as modifications to existing technology, we will be compliant,” he says. He adds: “A lot of providers think of security through a regulatory lens, but they don't have a framework on which to base a security program.” Regulations will not help providers think through thorny issues providers face when trying to secure their electronic health records, in his view. Leveraging NIST standards “will set you in the right direction with regard to controls to think about in your environment.”
THE BIGGEST THING THE HOSPITAL HAS TO THINK ABOUT IS NOT THE FINES THAT MAY COME, IT'S THE REPUTATION LOSS. THAT'S HOW THEY LOSE PATIENTS.-JOHN KAHANEK
Elert notes that Trinity Health relies on a combination of ISO and NIST standards, and has also considered HITRUST. “We are just looking into it. I get a sense that it is still early,” he says of the organization.
Memorial Healthcare System, Hollywood, Fla., has also adapted parts of both the ISO and NIST standards, according to John Christly, manager of IT security and HIPAA security officer. “We have not adopted one set of standards. It depends on the technology,” he says. Christly adds that his organization also complies with payment card industry (PCI) standards of the PCI Security Standards Council. “We are a huge credit card processor,” Christly says. “I have found PCI to be the most influential here at the hospital system over the last couple of years.” He says PCI standards have helped to clarify the controls the provider needs to have in place. “The stance we took in trying to figure out how to make a secure network for the credit card terminals is the same stance you take to try to figure out how to secure where you are taking care of the patient,” he says.
DATA: MOBILE AND DISPERSED
The breach reporting requirements under the HITECT Act have raised the stakes for healthcare providers. As CSC's Kahanek notes, “The biggest thing the hospital has to think about is not the fines that may come, it's the reputation loss. That's how they lose patients.” He believes encryption is crucial for hospitals concerned with protecting their reputations with patients.
The ease with which electronic data can be copied is a top concern of Mac McMillan, chair of the HIMSS Privacy and Security Committee at the Chicago-based Healthcare Information and Management Systems Society (as well as CEO of Austin, Texas-based CynergisTek, Inc.). Many of the reported security breaches come down to either the lack of a reliable process for managing data, or not having the right technology to protect data that is in transit, he says.
Jim Elert of Trinity Health says his hospital system has encrypted all of its 10,000 laptops, a process that took about a year. The first laptops to be encrypted were those used by home healthcare workers, who bring them into patient's homes, he says.
The five-hospital Memorial Healthcare System has also encrypted all of its laptops, and it is in the process of converting all of its computers to thin clients, according to Christly. He adds that the hospital system also uses secure e-mail and file transfer protocols when communicating with its vendors. “We try to make everything as easy as possible to still conduct business, but also be very secure and locked down,” he says.
Jennings Aske of Partners Healthcare notes that broad-based encryption comes with its share of costs as well. His organization encrypts every laptop, even those used by people who do not work with sensitive data. “As an organization, we want to err on the side of caution,” he says. But he adds that its comprehensive approach to encryption includes operational support costs and the need to explain to someone who doesn't work with sensitive data why they still need to encrypt due to organizational issues.
Nonetheless, the fondness that clinicians have for smartphones and other personal handheld devices has posed new security challenges. “The influx of consumer technology has been working its way into the workplace,” says Aske. “We do have people asking us about using technology that we haven't officially sanctioned, but [companies] are bringing into the marketplace.”
In his view, the challenge for hospital IS departments is to educate people about the risks that go with bringing devices that have not been approved by the organization into the workplace. To the extent that such devices are approved and connected to centralized resources, the hospital can push out policies around access and encryption, he says. All the same, he acknowledges that there are a certain number of unapproved devices that are used in the environment.
WE MAKE IT CONTRACTUAL, THAT THEY HAVE TO HOLD TO CERTAIN STANDARDS. THAT IS WHAT THE GOVERNMENT IS DOING TO US.-JIM ELERT
Keeping track of who has logged on to the network has become a demanding task, and has created a need for tools to help manage the process. “Someone opens our EHRs (electronic health records) 300,000 times a day,” says Elert. He says the hospital system is in the process of putting in a log management system to help manage the operation.
Christly of Memorial Healthcare System uses security information and event management software (supplied by TriGeo Network Security, Inc., Post Falls, Idaho) to monitor network activity.
TIGHTER FOCUS ON VENDORS
Industry observers say that new regulations will make it necessary for health providers to take a harder look at their business associates. It's an area where providers have often been lax, says McMillan of HIMSS. He maintains that one-third to one-half of the reported breaches affecting 500 or more patients involve business associate relations. Healthcare security, he says, is a shared responsibility between the health provider and the contractor. “We need to quit taking for granted that the folks we do business with are protecting the data as well as we are,” he says.
According to Steven J. Fox, partner with the law firm Post and Schell, P.C., in Washington, D.C., healthcare organizations must do due diligence when evaluating potential vendors. One change that has taken place under HIPAA is that business associates are subject to the same penalties as covered entities, Fox notes. The problem is that many business associates, particularly smaller companies, may not be familiar with that change. “Part of due diligence is educating your trading partner,” he says.
Fox is concerned that small healthcare providers that will be forced to rely more heavily on outside vendors are the least equipped to evaluate the companies security policies. One potential resource, he says, are regional extension centers (RECs), which can provide some guidance, he says. “There is a big responsibility when you are putting medical privacy data in the hands of somebody out of your control. You have got to make sure that they are as aware, and protect to the same extent as you will,” Fox says.
PART OF DUE DILIGENCE IS EDUCATING YOUR TRADING PARTNER.-STEVEN J. FOX
The task of evaluating business partners is a challenge at large providers as well. Jennings Aske of Partners Healthcare says “We are trying to take a more proactive approach to fixturing our partners and contractors.” Before approving a technology of a vendor, the hospital's IT team performs a risk assessment of the planned deployment strategy, protocols involved, and infrastructure, he says.
In his view, healthcare technology is not yet fully mature from a security perspective. “The architecture of the applications and the code of the applications are not subject to the security testing and analysis on the vendor side that I have seen in other industries,” Aske says.
Trinity Healthcare requires vendors to sign a binding agreement, according to Elert. “We make it contractual, that they have to hold to certain standards,” he says. “That is what the government is doing to us.”
Christly of Memorial Healthcare acknowledges that it can be difficult to evaluate outside vendors. “We do a fairly decent job with an RFP [request for proposal] and a business associate agreement of trying to make sure in writing that we are covered. But in reality, you don't know what [vendors] are doing with the data when they get it. There is no way to audit that, to make sure they are not leaking it or selling it.” Nonetheless, Christly says the provider does a “deep dive” of vendors to “make sure that there is no fraud going on. The IT team asks detailed questions concerning the vendors’ policies on security.”
Healthcare Informatics 2010 October;27(10):32-36
