WASHINGTON – As the healthcare system becomes more connected, it will become a breeding ground for risk to individual privacy, confidential information, data integrity and service availability, according to health IT security experts, who say consumers are most worried about maintaining privacy.
Establishing trust is the “essential enabler” for the adoption of electronic health records, said Dixie Baker, SAIC senior vice president and chief technology officer for health solutions. She is also chair of the advisory Health IT Standards Committee’s privacy and security work group.
“It’s not that we’re just trying to keep the information from going where it shouldn’t go. It’s also essential that we make sure that the information goes where it is needed. Both of those are necessary to build that trust in consumers,” she said June 14 at the government health IT conference hosted by the Healthcare Information and Management Systems Society (HIMSS).
[See also: 12 steps for surviving a privacy breach investigation.]
A security assessment by healthcare providers is the foundation for establishing strong enough safeguards to reduce threats to sensitive information, such as Internet malware, misbehaving employees, untrustworthy business partners and curious snoopers, she explained.
A security assessment is a requirement of Stage 1 of the meaningful use of electronic health records (EHRs) as well as mandated by the Health Insurance Portability and Accountability Act (HIPAA).
A security assessment is the key ingredient of risk management, a strategy for identifying risk using policies, practices and technology to detect and counter threats, lessen vulnerabilities, continue critical operations in emergencies and recover lost assets from breaches, Baker said.
'Surprise principal'
As providers begin to exchange patient information over the Internet for referrals and transitions in care settings, consumers will want to see more robust privacy and security safeguards. As a result, the advisory Health IT Policy Committee’s privacy and security tiger team, of which Baker is a member, has recommended the “surprise” principle as a rule of thumb.
“Patients should not be surprised to learn what happens to their health information. If they would be surprised, you better get their consent,” she said, adding that transparency by providers goes a long way to enable consent.
[See also: Top 6 data security questions you should be asking your BAs.]
There are also trigger events that would indicate the need for “meaningful” consent from a consumer, such as a third party or some exchanges that collect and combine information in a database for use by others. Consumers should be able to understand how their information is used.
As part of the first stage of meaningful use, certified EHRs have the ability to control access, automatically log users off after inactivity, conduct audits and be encrypted. Data at rest should be encrypted based on risk assessment.
“If you have a database in a highly protected data center, the risk is probably pretty low that the data will be accessed. But if you have health information on a laptop, I better make sure it is encrypted,” said Baker. Encryption can protect data when data breaches occur.
The HITECH Act strengthened HIPAA enforcement and the response to breaches, compelling providers involved in such incidents affecting more than 500 individuals to report it to the Health and Human Services Department, which publishes the name of the offender on its website.
As of June 6, HHS has published reports of 281 breaches affecting 10.4 million in total, said Lisa Gallagher, senior director of privacy and security at HIMSS. More than half of the braches were the result of theft or loss of portable devices, laptops and hard drives, according to HHS. For breaches affecting fewer than 500 individuals, 32,000 incidents have been reported.
“We know the industry is not very good at detecting breaches. We have no idea of how many breaches there really are or in the near future,” she said, adding that as organizations learn more about detecting breaches, they’re going to find more and report more.
Draft recommendations for Stage 2 of meaningful use carry over performing and updating a security risk assessment and fixing vulnerabilities, she said. Additionally, the Health IT Policy Committee approved the proposal that providers analyze whether they need encryption on devices and attest that such a policy is in place.
