EHR Incentives Spur Security StepsHITECH Payments a Catalyst for Information Protection
Many hospitals and physician groups are planning to apply for Medicare or Medicaid EHR incentive payments, which are funded by the federal economic stimulus package. Federal authorities began accepting applications for Stage 1 this month. And as healthcare organizations expand their use of EHRs, many are ramping up their security efforts to protect newly digitized information. For example, they are:
- Initiating or updating risk assessments;
- Expanding use of encryption and secure e-mail;
- Investing in new technologies, such as data loss prevention;
- Training staff on security issues.
Risk AssessmentsAlthough the HIPAA security rule, which went into effect in 2005, required healthcare organizations to conduct a risk assessment and then mitigate identified risks, one recent survey found that 14 percent of hospitals and 33 percent of clinics have yet to conduct their first risk assessment. But now that the EHR incentive program also requires such assessments, more organizations are launching them or updating out-of-date assessments.
"When it comes to EHR meaningful use for HITECH, all of a sudden the issues of risk analysis and mitigating potential threats are coming to the forefront," says Robert Tennant, senior policy adviser at the Medical Group Management Association (See: HITECH: Security Reminder for Clinics).
Conducting a risk analysis "is very foreign for most physician practice administrators," Tennant acknowledges. "Most are not experts in the field of encryption and user authentication and those types of tactical details."
When it comes to qualifying for the EHR incentives, "An overlooked and challenging aspect is the performance of risk management ... including a risk assessment, to protect the confidentiality, integrity and availability of protected health information," says Bonnie Cassidy, president of the American Health Information Management Association
To qualify for incentives, hospitals and physicians must use an EHR system that's been certified to include specific functions, include a long list of security features. "But it's the human side of actually using that software that makes or breaks the security," Cassidy says (see: The 'Human Side' of EHR Security).
She points out that users can turn off security functions within an EHR, "and then your entire security system is violated." As a result, staff education on how to handle security as more records are automated is essential, she stresses.
To mitigate risks as they adopt EHRs, physician groups must ask a lot of "what if" questions, Tennant says. One example is: "What happens if a laptop is stolen?" Those what-if questions should lead to investments in encryption and other technologies and trigger the development of clear-cut policies and procedures, he stresses.
"All of the those technical things that traditionally we haven't given much attention to are now coming to the forefront," Tennant says.
Outsourcing Risk AnalysisMany smaller clinics, including Summit Medical Associates in Hermitage, Tenn., rely on outsourcers for certain information technology functions, including conducting risk assessments.
But the eight-physician practice has not yet figured out its security priorities for 2011 because it's still awaiting a vendor upgrade of its EHR software to meet the HITECH certification requirements, says Tammy Sawyer, information systems manager.
Once the practice test-drives the security functions of its next-generation EHR system, it will determine how to implement them and what other technologies to add, she says. "We don't yet know what we're going to have to do."
Even larger hospitals, like 453-bed Pomona Valley Hospital Medical Center in California, frequently rely on outside help to conduct and update their risk assessments. The hospital, which plans to apply for the EHR incentives, likely will move to annual rather than biannual risk assessments as it completes the rollout of all components of its inpatient and outpatient EHR systems, says Kent Hoyos, CIO.
Meanwhile, to protect all the information it's adding to its EHRs, the hospital is expanding its use of encryption, especially for mobile devices. And it's considering an investment in data loss prevention software to help pinpoint all the devices where protected health information is stored so it can be properly secured or removed, Hoyos says.
The hospital also is fine-tuning its use of secure e-mail, beefing up its business associate agreements to ensure data is protected and devising a more formal policy for responding to health information breach incidents.
The HITECH incentive program may have sped up some of these investments, but all were already in the works as part of a long-term EHR deployment, Hoyos says. Another powerful cost-justifier was the desire to prevent breaches, he adds.
As a result of the HITECH Act breach notification rule, major health information breaches must be reported to federal authorities, as well as those affected, and they're posted on a Health and Human Services website.
HITRUST FrameworkUpdating a risk assessment is also a priority at the 38-hospital Catholic Health East system. The system has been using the HITRUST Common Security Framework, a free compliance guide, to help guide its security strategies and will continue to use it as it applies for EHR incentives, says Bryan Cline, Ph.D., chief information security officer. "We are now looking for a vendor to do a comprehensive security assessment against the HITRUST framework," he adds.
Because the HITECH incentive program mandates the mitigation of risks that are identified, "My approach is basically to determine a set of controls to manage risk to an acceptable level," Cline says.
Like Pomona Valley Hospital, the hospitals in Catholic Health East likely will implement data loss prevention technology in the months ahead. They also will expand their use of encryption to include desktops in addition to mobile devices and media, Cline says.
Cassidy of AHIMA offers an important reminder to hospitals and physicians ramping up their use of EHRs: "There's a need for constant training and retraining of the workforce about the confidentiality of patient information."