Meaningful Use Stage 3 requirements are coming—and this new set of rules is poised to be more detailed and challenging than those that came before. Kevin Ritter, Vice President of Managed Services at Allscripts, has been working with healthcare organizations, both domestically and internationally, on meaningful use requirements for years. And with stage 3 on the horizon, Ritter contends that provider organizations need to start thinking about their security programs now.
Ritter talks with Healthcare Informatics about why it’s not enough to simply have security policies in place, why good security doesn’t have to interfere with patient engagement or mobile healthcare practices, and why every healthcare executive needs to be able to answer, “Where does your data live?”
How are most healthcare organizations responding to the meaningful use stage 3 requirements? What are the biggest concerns?
Kevin Ritter: In one sense, many organizations are feeling quite relieved. They’ve done what they needed to do to make it to this point, if you will. It’s nearly the finish line. And it wasn’t easy. There’s been a lot of time, a lot of work, and a lot of investment to get to this stage. Stage 1 was all about getting the infrastructure for electronic records in place. Stage 2 was having the electronic record and showing that it works in that infrastructure. And now there’s this last stage— and organizations are thinking hard about how to best implement this new round of objectives.
I think there are really four points that are key to success at this stage. One, and perhaps most importantly, is the security piece. Protecting patient health information (PHI) and making sure there is a corrective process to continue to provide protections based on the measures that are out there. Second, there is an interoperability piece here with the use of public exchanges. Third, you are going to see increased computerized physician order entry (CPOE) and clinical decision support rules. And then, finally, there will also be a consumer healthcare aspect to this. People are thinking about how to make records easily and efficiently accessed by patients.
What are some of the biggest misconceptions concerning security as it relates to stage 3?
Ritter: In stage 1 and stage 2, providers got accustomed to doing static security tests—these kind of one-off, check-the-box kind of measures. But stage 3 is going to require an ongoing risk and security assessment program. So the big misconception is that provider organizations are going to be able to continue to do the same kind of assessments and meet the bar. And that won’t be the case this time around.
How does that misconception intersect with increased use of mobile and telehealth programs?
Ritter: Mobile is a huge concern. Physicians, caregivers, and even patients have so many devices now that can access PHI. So healthcare organizations need to be very, very diligent about establishing the right procedures and policies around PHI and how to best protect it. And they have to do more than just come up with these policies. They have to find ways to enforce them. And that can get a little tricky.
There’s no doubt that organizations have made tremendous investment in security within healthcare organizations over the past four or five years. But security officers have to be aware that physicians and caregivers need to have the right types of technology on hand. Because too often physicians who don’t have secure text messaging will take matters into their own hands and start sending PHI over less-than-secure channels. And then we have the cloud, which has tremendous benefit from a technology perspective. But you need to make sure any PHI that resides in the cloud is protected. The simple truth is when you have data in motion, it becomes much harder to protect. And you have to be very cognizant of that.
We talk a lot about interoperability in healthcare these days. But what comes along with interoperability is data flowing all over the place—and more security risks to PHI. So you need to create the right safety parameters to protect all that data. And figuring out those parameters, and then using them to build a comprehensive security program, starts with an inventory of where your data is and where it can go.
What are some of the biggest challenges provider organizations face moving forward? How can they best meet them?
Ritter: The biggest challenge, first and foremost, is knowing where your data lives. Having that inventory in place. So many provider organizations have tons of systems they are using for one-off requirements—and most of them contain some level of PHI. So doing an inventory, taking the time to identify where all the PHI lives is the first step in moving forward and meeting some of these challenges. You need to know where your data lives, plain and simple. Second, you have to make sure your systems are up to date. Many systems have a lot of new security patches and upgrades. And while there is a bit of fatigue with the amount of work that has to be done concerning meaningful use, organizations have to keep updating systems that contain vital information. And finally, it comes back to that policy enforcement piece. Your security policy is no good unless you are actually enforcing it and making sure you are being diligent about protecting your organization’s PHI.
What should healthcare IT executives consider when partnering with vendors for stage 3?
Ritter: When you look at vendor organizations, you want someone who can do a certain level of consulting work around security, certainly. But stage 3 has several key requirements to be met so you want a reputable, credible vendor that has shown they can get the job done in both stage 1 and stage 2. They’ve shown good outcomes and they are prepared to help you implement these next steps. What you don’t want is a vendor who is just getting started with stage 3.
What is the most important thing that healthcare organizations should be thinking about as they approach stage 3—and associated security measures?
Ritter: If I have to distill it down to just one thing, it goes back to understanding where your PHI lives and breathes. Every healthcare executive, in every healthcare organization, should know where their PHI lives. They should be able to tell you what kind of applications and systems are capturing PHI. They should understand what policies and procedures are in place to protect PHI—and what corrective action is taken when there is some sort of breath. There needs to be a certain level of ownership at the executive level or else any policy you have isn’t going to get the job done.