Security experts warn that provider leaders who ignore data security put their organizations at risk
As hospitals move forward in implementing electronic health records, data security is often treated as the proverbial 800-pound gorilla in the room: many still have not taken adequate steps to control the data in their organizations. That will change in the next few years, say experts, who predict that hospitals will face increased pressure to develop a good understanding of where sensitive data reside, who has access to it, and how data are being used.
ACROSS THE BOARD WE ARE NOT SPENDING ENOUGH ON DATA SECURITY, AND THAT TELLS ME THAT IT IS NOT QUITE AN INSTITUTIONAL PRIORITY.-MAC MCMILLAN
“There is still a lot of work to do in the industry with regard to security,” says Mac McMillan, chair of the HIMSS Privacy and Security Committee at the Chicago-based Healthcare Information and Management Systems Society.
As noted in the 2010 HIMSS Security Survey, released in November, Stage 1 meaningful use incentives call for the use of formal risk analysis and the application of the outcomes to modify the use of controls, policies and procedures. At present, one-quarter of the sample population would not qualify for meaningful use incentives. Moreover, a robust security environment is crucial as hospitals and medical practices increasingly share information with outside organizations, the report says.
According to McMillan, all of this comes back to one issue: providers need to get a handle on their data. And to do that, providers will need to do three things:
Perform risk assessments to identify where the risks are or could be.
Use data loss prevention technology to discover where data reside, and understand the scope of what they need to do to protect it and the types of controls they need.
Audit, using network log management and, especially, application log management technology to track what people are doing with the data.
To be sure, putting in the proper controls requires a fairly significant investment-which McMillan estimates at about $1 million in upfront costs-but is just a fraction of the outlays that are required for a certified electronic health record system. “Across the board we are not spending enough on data security, and that tells me that it is not quite an institutional priority,” he says.
Traditionally, security has been viewed as a cost; when in fact, it is an enabler. Once hospitals have a good handle on where their data are, they will be able to make informed decisions about where to make investments in appropriate technology.
Sagi Leizerov, a data security expert with Ernst & Young LLP, Secaucus, N.J., notes that while many of the security issues facing CIOs, chief security officers, and privacy officers at hospitals are not new, the convergence and uptake of various IT technologies is bringing new urgency to the data security arena.
As providers move forward on compliance with meaningful use under the HITECH Act, they are implementing electronic health record solutions capable of communicating with an ever wider array of portable media. Mobile devices such as smartphones, iPads, and Droids have proved to be very popular among clinicians. Portable media are an especially sensitive area for provider organizations because they allow clinicians to work with protected health information using their own devices, Leizerov says.
SECURITY AND PRIVACY MEASURES HAVE TO CHANGE, AND THE LEVEL OF RIGOR BEHIND THEM, BECAUSE OF THESE GREAT IMPROVEMENTS.-SAGI LEIZEROV
Cloud computing, which is being embraced by many hospitals as a cost-effective way to introduce new software solutions, also presents security challenges. Many cloud services providers may operate outside the U.S., putting them out of reach when breaches of electronic protected health information occur, Leizerov says.
In addition, various technologies that are allowing patients to take a more active role in their healthcare are on the rise. Leizerov says many providers are using social networking tools to stay in touch with and monitor their patients; pharmaceutical companies have been adept at supplying devices such as blood pressure monitors, allowing the patient to communicating information from the device to a Web site.
RAISING THE BAR
“These are fantastic improvements,” says Leizerov, but he cautions that the level of use of these technologies and the increased amount of data has raised the bar for maintaining security at provider organizations. He says that data breaches are a concern, and also points to an increase in the incidences of health-related fraud, as well as insider threats by employees abusing the access given to them.