HITECH Stage 2 Rules: An Analysis

Experts Sort Through Privacy, Security Provisions

By , August 29, 2012.
HITECH Stage 2 Rules: An Analysis

Some privacy and security experts that have dug into the 1,446 pages of final rules for Stage 2 of the HITECH electronic health record incentive program say they are mostly pleased with provisions included to protect patient data (see: HITECH Stage 2 Rules Unveiled).

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

Both rules are hefty - 474 pages for the electronic health record software certification criteria rule and 672 pages for the meaningful use requirements. And each contains key provisions related to data security.

The most notable security provision, experts say, is the software certification rule requirement that EHR software be designed to encrypt, by default, electronic health information stored locally on end-user devices.

The requirement is significant, given that 54 percent of the largest health information breaches since 2009 have involved the loss or theft of unencrypted computing devices or storage media, according to the official breach tally from the Department of Health and Human Services' Office for Civil Rights.

"Requiring encryption by default for end-point devices is a sound security control and will help to ensure the growing numbers of breaches caused by loss or theft of these types of devices will be prevented," says Rebecca Herold, an independent security consultant who heads the firm Rebecca Herold & Associates.

"By making the encryption transparent and automatic to the end-user, it will ultimately improve protection of patient information," she says. "If you leave it up to each of the millions of physicians, nurses and other healthcare workers to do the encryption themselves, recent history shows that the encryption will simply not be done in millions of endpoints."

Mac McMillan, CEO of the IT security consulting firm CynergisTek, says the software certification encryption provision is just one small step in the right direction. The provision "helps a little, at least with EHR encryption, but it doesn't cover other systems that contain PHI [protected health information] once you're disconnected from the EHR," he notes. That means healthcare providers still will need to be vigilant in ensuring that PHI is protected in all applications where it resides, he adds.

Risk Assessment

In another encryption provision for Stage 2, the meaningful use rule requires that participants conduct a risk assessment that specifically addresses "the encryption/security of data stored in CEHRT [certified electronic health records technology]." The rule also requires providers to "implement security updates as necessary and correct identified security deficiencies as part of the provider's risk management process." But it does not explicitly mandate encryption.

Regulators included this requirement, which shines a spotlight on requirements that already exist within the HIPAA security rule, in hopes of improving the protection of stored information.

McMillan applauds the provision because it helps increase awareness that "you will be responsible for the decisions you make" on whether to encrypt stored PHI beyond the encryption that occurs by default through EHRs.

Similarly, Herold says calling attention to the need to consider encryption of stored data is a good idea.

"I know from seeing many inadequate risk assessment methodologies ... that including an explicit requirement to check for encryption is good and will make covered entities and business associates think twice before simply deciding that they don't want to invest in encryption."

Bill Spooner, CIO at Sharp HealthCare in San Diego, says encrypting data at rest shouldn't be too tricky for healthcare providers.

"The challenges will be around gaining support from those who view technologies like encrypted thumb drives as inconvenient, and ensuring that we have closed any potential detours around the requirement," he says. "The focus on end-user device encryption is quite sensible, as loss of such devices has been the most common cause of breaches to date."

Patient Data Access

Among the final provisions getting a mixed reaction are the meaningful use requirements for hitting a threshold for patients securely accessing their information, such as through a portal with appropriate protections.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cybersecurity - the New Agenda

The threat landscape has changed dramatically, and so must organizations' approach to...

Latest Tweets and Mentions

ARTICLE Cybersecurity - the New Agenda

The threat landscape has changed dramatically, and so must organizations' approach to...

The ISMG Network