CEOs as Privacy Leaders
Setting the Tone for a Change in Culture
Healthcare organizations should make widespread use of encryption because it's the single most essential technology to use for breach prevention, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.
"We still see the largest impact of breaches has been from lost and stolen technology," Pritts says in an interview with Information Security Media Group (transcript below). "For those items, there's a pretty simple solution: encrypt. Encryption methods are much more advanced than they were five years ago, and there really is not a good reason at this point, if you're purchasing new technology, not to make sure that you can encrypt it."
More than half of major breaches reported to the Department of Health and Human Services since September 2009 have been tied to lost or stolen unencrypted devices, especially laptops (see: Wall of Shame: Four Years Later).
A second important breach mitigation step, Pritts says, is to ensure that healthcare organizations have the policies and procedures in place to prevent insiders from snooping into patients' records. "And if you find out that they're doing that [snooping], take action against them," she urges.
In the interview, Pritts also discusses:
- The provisions of the HIPAA Omnibus Rule that will likely have the biggest impact on safeguarding patient health information;
- The privacy and security requirements being hammered out for Stage 3 of the HITECH Act's electronic health record incentive program;
- Privacy and security issues related to medical devices.
Pritts joined ONC, a unit of the HHS, in 2010 as the office's first chief privacy officer. In that role, Pritts provides advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC's privacy and security programs under HITECH. Pritts also works closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute at Georgetown University.
Biggest Privacy, Security Challenges
MARIANNE KOLBASUK MCGEE: What do you think are the biggest privacy and security challenges facing the healthcare sector today? Looking ahead, what emerging privacy and security challenges do you see?
JOY PRITTS: Right now, I think we still see the largest challenge in the healthcare sector as being one of culture. There's still a culture that privacy and security are barriers to the provision of health. We see privacy and security actually as being facilitators and that, when the message from the top is that privacy and security are good for the patient and good for business, we will see more of an attitude that these are things that organizations should be doing very willingly and will see the benefit to them and their patients.
MCGEE: What sorts of privacy and security issues do you worry about when it comes to medical devices?
PRITTS: First, I'd like to make a little distinction here between medical devices and mobile devices. A lot of people are thinking of medical devices as being maybe your little monitor you have on your arm, but there's also this very large category of medical devices that are really associated directly with healthcare that are in not only hospitals and healthcare organizations, but are also remotely based at a patient's house. The adoption of those is also escalating very quickly, and there's a lot of work being done with the FDA and some work with our office on assessing what those security issues are with those devices and how to ensure that they're secure as we move forward.
Stage 2 Privacy, Security Requirements
MCGEE: Please highlight the most significant privacy- and security-related requirements in Stage 2 of the meaningful use electronic health record incentive program funded by the HITECH Act.
PRITTS: Stage 2 keeps some of the privacy and security requirements of Stage 1, and probably chief among those is the requirement that providers do a security risk analysis. All it really does is it requires providers to do what they're already required to do under HIPAA, and they have been required to do it for a number of years under HIPAA. But this requirement has been very beneficial because it has really shown the light on this requirement that for some reason many providers seemed that they were not aware that they needed to do.
It starts off as a very basic requirement in that you don't just plug in an electronic health record or a computer and start using it without knowing what kinds of security risks might be present. It does not need to be very complicated. There are a number of different steps to take in it, but it's probably still one of the most important aspects of meaningful use Stage 2 because a provider will not receive an incentive payment unless they've actually assessed how the change they're making in their EHR system is going to be impacted by adopting this new technology.
One of the other major developments in Stage 2 has been the view, download and transmit provision, which requires the technology to have the function that an individual can see their health information, download it to themselves and transmit it to a third party. This piece is intended to dovetail with HITECH's new clarification that an individual has electronic access to their health information. The provision in meaningful use is really set there to make sure that the technology is in place to make sure people can exercise that right.
MCGEE: What should hospitals, physicians and EHR vendors be doing now to prepare to meet Stage 2 privacy and security requirements?
PRITTS: They should, first and foremost, read the list that's provided by CMS of the different requirements, not only for the technology that they need to use but also for the activities that they will need to conduct in order to meet those requirements. They should be reviewing the list of vendors who have been certified as having the requisite technology available in their EHR products.
Looking Ahead to Stage 3
MCGEE: What privacy and security requirements are likely to be added for Stage 3 of the program?
PRITTS: That's still really very much up for debate. There's been a lot of discussion at the policy committee among the work groups about whether there should just be a continuation of the privacy and security requirements of Stage 2 or whether there should be some pushing of the envelope, as it were. I believe that the Tiger Team, in particular, decided that they would recommend staying the course with the security risk assessment and not getting into much more detail than that. I do believe that there are also some discussions on the consumer engagement work group about moving forward more with providing patients access to their own information and making sure that patients stay at the center of their care.
HIPAA Omnibus Rule
MCGEE: What provisions in the HIPAA Omnibus Rule do you think will have the biggest impact in terms of efforts to better safeguard the privacy of patient data?
PRITTS: I think the biggest change ... is extending the security requirements directly to business associates and making them responsible directly for some of the privacy rules and restrictions on use and disclosure. This is going to really make a lot more organizations directly responsible under the rules and will inevitably expand the use of good security and privacy policies.
Breaches: Lessons Learned
MCGEE: What lessons do you think can be learned from the breaches that have shown up on the HHS "wall of shame" to date? What do you think the main message so far has been?
PRITTS: I think there are two main messages that you can garner from the breaches that have been reported. The one is pretty pedestrian, which is have policies in place to prevent people from snooping into other people's records - and if you find out that they're doing that, take action against them. That's still one of the most common reported breaches, even with all this technology that we have.
On the technology front, we still see the largest impact of breaches has been from lost and stolen technology. We still continue to see laptops that are lost or stolen or cell phones lost or stolen. In particular, for those items, there are pretty simple solutions: encrypt. Encryption methods are much more advanced than they were five years ago, and there really is not any good reason at this point, if you're purchasing new technology, not to make sure that you can encrypt it.
ONC's Privacy, Security Agenda
MCGEE: Finally, please tell us a little about what ONC's privacy and security agenda looks like for next year.
PRITTS: It's a little hard to say. We're still waiting to see how things come out in the budget process, but we do see that patient access will continue to be a big issue. Patient-centered outcomes research is moving to the forefront, and that will involve a lot of discussion about the various rules that come into play for the various players in that area. Lastly, we see some development along the cloud-services front, where more providers will probably be looking to move their services to the cloud, and that may be an area where we'll be able to offer some assistance as well.