Data Security Not High On Hospitals' Priority List

Fewer than half of large facilities conduct annual risk assessments, but that might have to change, according to CSC consultant.
Slideshow: Siemens Healthcare DataCenter Virtual Tour
Slideshow: Siemens Healthcare Data Center Virtual Tour
(click for larger image and for full slideshow)
New HIPAA data security requirements and the Meaningful Use criteria for the security of personal health information (PHI) make it essential for hospitals to beef up their security measures, says a new report from the CSC consulting firm. Yet according to a HIMSS study cited in the report, fewer than half of hospitals even do an annual security risk assessment.

According to the rules for stage 1 and the putative rules for stage 2 of Meaningful Use, CSC consultant Jared Rhoads writes in his report, institutions must conduct an annual risk analysis and correct any deficiencies "by implementing the appropriate policies and technical capabilities."

Under the HITECH provisions of the American Recovery and Reinvestment Act, HIPAA security provisions are also being tightened. Proposed regulations--expected to be finalized this fall--require new breach notifications, extend security rules to business associates, further restrict the marketing and sale of PHI, and mandate annual risk assessments.

Yet a HIMSS survey of large healthcare organizations found that just 47% conduct risk annual assessments. Fifty-eight percent of the respondents had no staff members dedicated to security, and 50% spent 3% or less of organizational resources on security.

Rhoads wasn't surprised that so few hospitals put an intense focus on data security. Some hospitals think that security technology alone will protect them, "but it's a lot deeper than that," he told InformationWeek Healthcare. "You have to have the right processes and do continual training and risk assessments."

Rhoads also points out that some hospitals might have been lulled into complacency because the government did not strictly enforce the HIPAA security rules until recently. But now the Office of Civil Rights (OCR) is taking a more aggressive stance toward enforcement. Starting later this year or early in 2012, OCR will start auditing organizations for compliance, he noted. Because of this, the new HIPAA regs, and the Meaningful Use requirement, he expects hospitals to step up their security efforts.

Not that hospitals haven't been trying to improve their security. In HIMSS' 2011 Leadership Survey, 26% of responding CIOs said their organization had experienced a security breach in the past 12 months, slightly more than in the previous year. Thirty-six percent of respondents said this was their biggest security concern. The second largest number of respondents--30%--said that complying with HIPAA and CMS regulations was their biggest security issue. Lack of compliance with a business associate agreement was far down the list, with only 3% of respondents saying this was a major worry.

Rhoads said that it will be difficult for providers to police the security processes of their business associates--and it will be even more problematic if the HIPAA final rule also covers subcontractors of business associates, as proposed. He suggested that healthcare providers include language addressing security in their contracts with business associates. Also, he said, they should hold regular meetings with these entities to review their security policies.

Rhoads also recommended that hospitals encrypt their data, if they don't already. While the proposed HIPAA rule doesn't require that, it does say that encryption is "addressable"--meaning that if you don't encrypt data, you have to destroy it, according to the CSC consultant. Moreover, he noted, there's a safe harbor for encryption: If encrypted data is lost or stolen, the breach doesn't have to be reported in the same way as a breach of unencrypted data.

Two-factor authentication--using two different types of data to authenticate someone logging onto the system--is not going to be required any time soon, Rhoads said. But someday it might be required for remote access to a hospital system or for health information exchange, he added.

Find out how health IT leaders are dealing with the industry's pain points, from allowing unfettered patient data access to sharing electronic records. Also in the new, all-digital issue of InformationWeek Healthcare: There needs to be better e-communication between technologists and clinicians. Download the issue now. (Free registration required.)