As technology continues to drive the health care industry, the privacy and security of data moving through electronic systems becomes increasingly important and -- simultaneously -- more difficult to achieve.
HITECH Act requirements have led to a surge in IT adoption in health care, including electronic health records (EHRs), computerized physician-order entry (CPOE), medication bar coding, and clinical decision support. Supplementing the technology is a wave of mobile devices from smartphones to tablets, which allow providers more flexibility in how they are accessing and using patient data.
With this surge has come an increase in data breaches, prompting the government to pass updated HIPAA enforcement laws. The data breach notification rule requires providers to disclose when unauthorized access to patient information has occurred.
Despite the more stringent environment, there is a lack of urgency for figuring out how to achieve health IT security among providers who are confident they're already doing enough. A recent survey of SearchHealthIT.com readers indicates that hospital administrators believe they are meeting federal laws with their current policies while, at the same time, they recognize that data protections must be a priority.
Just how much of a priority is the question, however. In the past there has not been a significant amount of enforcement from federal officials, and that's led to some lack of policies in physician practices, according to Robert Tennant, senior policy advisor with the Medical Group Management Association (MGMA). That said, it's likely that the Office for Civil Rights (OCR), which oversees the HIPAA data breach rule, will be more aggressive about enforcement in the future.
With more devices and more technology comes the need for more education, Tennant said. To providers who haven't needed to pay much attention to tech concerns, "it's such foreign territory. A lot of folks have no idea what encryption is."
Fixing that requires education, Tennant added. "I think when you explain it to them in practical terms, it's easier."
The laws themselves could use some work, as well. Data breaches are becoming significant, but the laws only punish; they are not encouraging anyone to look at their networks to see where and how breaches occurred, according to James Tarala, principal consultant with Enclave Security LLC, a data protection services firm. True network security is different from reporting that laptops have been stolen. "I don't know if the controls are in place."
Our health IT security survey explored some of these issues, from what's driving security needs to how systems are being protected, providers explain their thoughts. The results are based on 254 responses from IT professionals and executives at health systems, hospitals, physician practices and other care organizations to an online questionnaire conducted in April 2011.
Who is the biggest influence on whether and how point-of-care wireless devices are used in your hospital?
While physicians and administrators are fairly evenly split in driving technology use at hospitals, with 39% of respondents saying doctors do it and 37% saying administrators do it, several other staff in the organization are also involved.
Some 23% of respondents said device use is a collaborative effort that includes the information services department, nurses and other caregiving staff, corporate executives, privacy and compliance departments, attorneys, marketing and device manufacturers.
What are you doing to ensure hospital wireless network security?
Managers are taking steps to secure their networks and are considering which technologies they'll need to achieve that security. While many respondents feel their networks are secure, more efforts will be focused on encryption and mobile device security in the next year.
Are you planning to update business associate and third-party vendor contracts in the next two years to reflect HIPAA rules?
HIPAA legislation applies to those organizations defined as covered entities -- generally, hospitals, doctor's offices or health insurers. The HITECH Act makes HIPAA data breach notification laws apply to business associates as well. Under HIPAA rules, this term referred to a health plan, clearinghouse or other group otherwise involved in the disclosure of personal health information (PHI). The HITECH Act deems subcontractors, health information exchanges, regional health information organizations and e-prescribing gateways to be business associates as well.
Despite these changes, respondents believe they are prepared to meet expectations. While 33% of professionals said they are planning to update business associate agreements to reflect new HIPAA mandates, 63% said their contracts are already aligned and they don’t need to change them. Another 4% said they plan to update contracts later.
Most professionals are aware that HIPAA mandates impact both their policies and technology needs. While 45% said they view the mandates as having more of an impact on their policies, the same number of respondents said the laws affect both policy and technology equally. Only 8% said HIPAA mandates have a greater affect on technology, and 2% said they have no impact on either.
Which of the following technologies do you plan to purchase in the next year to help your organization achieve HIPAA compliance?
Do HIPAA mandates have greater impact on health IT security policies or technology purchases?
At their core, the new HIPAA laws aim to strengthen patients' consent over the use and disclosure of PHI. Providers are concerned that these myriad regulations will be confusing to implement, but they agree that better protections for patients are needed as the industry moves toward adopting more health IT.
Respondents agree that the rules naming encryption as the best line of defense against data breaches make them more likely to use the technology. Some 40% of those surveyed are exploring encryption while 54% are already using it.
Data of all sorts is important to an enterprise encryption strategy. Most respondents, 65%, said general hardware along with patient data both at rest and in motion are equally important to protect. Another 19% of respondents said data in motion across real-time systems was the most important to encrypt while 11% said data at rest, or stored in EHR systems and elsewhere, is most important.
HIPAA officials have said that when encrypted patient data is lost, it doesn't count as a data breach and therefore is not a violation. Will this make your organization more likely to explore encryption software for patient data?
What is most important to encrypt?
Are you planning to spend more or less on clinical data encryption in the next two years?
As encryption gains importance -- especially in clinical settings, where the use of electronic systems is on the rise -- organizations are beginning to spend more to purchase the technology.
About 45% of respondents said their spending levels would remain the same, but around the same number plan to increase spending 5% to 50%. An additional 8% of respondents said spending would go up 50% to 75%.
Does single sign-on (SSO) play a significant role in user authentication practices?
SSO technology is emerging as a popular choice for the health care industry. A recent Ponemon Institute survey, How Single Sign-On is Changing Healthcare, found that clinicians liked the automated login process -- after entering one password, they had access to all their applications, reducing time spent remembering logins for several systems, not to mention keystrokes and clickthroughs. Of the research institute's respondents, 80% would recommend the technology.
More than half of SearchHealthIT.com respondents are currently using SSO, while another 26% are evaluating it as an option. Fewer than one in five are neither using nor considering it.
What is the weakest link in health IT security?
Despite IT adoption, it's the low-tech actions of people that are still causing security concerns, according to readers. Half of respondents said staff leaving laptops or medical records in open areas is the weakest link. This claim matches OCR research on significant health care data breaches. Unencrypted data is another security concern, according to 22%.
While wireless devices and equipment that jams network frequencies are problems, say 11% and 4% of respondents, respectively, another 13% named different health IT security concerns. Those include the following:
- staff who didn’t follow policies;
- older, cumbersome network securities;
- personal devices that are not part of the network, and
- difficulty tracking the myriad ways data can leave the hospital.
Let us know what you think about the story; email Jean DerGurahian, Executive Editor.