Security issues can’t be ‘swept under the rug’

By John Andrews
05:54 PM

As heatlhcare IT systems get more sophisticated, so do their security challenges. And with stronger HIPAA privacy regulations in place, providers are being forced to make information security a much bigger priority, experts say.

“There wasn’t much enforcement of HIPAA before, but that is changing,” said Mark Ford, a partner in the healthcare providers practice for Deloitte Consulting in Ann Arbor, Mich. “The industry is looking really hard at meaningful use, security and privacy and it’s something they will have to deal with. What’s real now is with electronic medical records and how to maximize them to achieve these goals.”

The point of security and privacy from a meaningful use perspective is “that you know it’s there but don’t know how to deal with it,” said Ford, who reports “positive traction and movement in leveraging EMRs and pulling in opportunities that high tech can provide.”

Ken Rubin, vice president of Boston-based Iron Mountain’s digital records center for medical images, insists that the new HIPAA regulations, which now encompass provider business associates and promise strict compliance enforcement, are more than just rhetoric.

“They have raised the bar in enforcement,” he said. “There is now a mandatory security breach notification, which means it can’t be swept under the rug.”

Under the new HIPAA rules, provider business associates that come in contact with patient information are now being held to the same standards as providers, Rubin said.

“They have to demonstrate materially that they conform with the law, that they have the processes in place,” he said. “The implication for providers is that they need to be careful about who they are working with.”

For hospitals and health systems to ensure an appropriate level of security, data needs to be encrypted while at rest and in transit, retain the same level of integrity when stored as when it was created and is not susceptible to corruption, Rubin said.

“Providers need a system to migrate the data so it doesn’t get destroyed, lost or put in the wrong people’s hands,” he said.

Research accessibility
While the protection of patient information is paramount, there are concerns in the academic community about being deprived of data that is critical for medical research, said Scott Morrison, chief technology officer for Vancouver, British Columbia-based Layer 7 Technologies.

“This is a common problem at teaching hospitals, which have mandates for teaching and research while operating as a hospital,” he said. “They need to give physicians access to appropriate case studies and records but researchers also need to have it made available to them. HIPAA makes a lot of sense, but at the same time when there is a huge body of data, we have a responsibility to humanity to use it for making our lives better.”

To help strike the right balance between privacy protection and advancing medical science, Layer 7 worked with the University of Chicago Medical Center to create a system that limits access to records while making it available for research with the sensitive private information “scrubbed out,” Morrison said.

“It’s a mixture of rules-based identity control and ensuring sensitive data doesn’t leak out,” he said. “It gives teaching hospitals confidence they are compliant while serving their two masters.”

Safeguarding HIEs
Salt Lake City-based Medicity focuses on security for health information exchanges. Ashish Shah, senior vice president and chief architect, says his company is responsible for checking HIE vulnerabilities and eliminating any threats – particularly in what he calls “the last mile of connectivity” between systems.

“There are a handful of basic security components, such as authentication and authorization, but HIEs need to know who you are, your specialty, your care location and data accessed,” he said. “There needs to be a system of multi-dimensional authentication.”

Medicity, which handles security for the Delaware Health Information Exchange, among others, is also involved in developing best practice security levels for the nationwide health information network, also known as the “Health Internet.”

Security Catch-22
Alex Iomazzo, vice president of operations for Livingston, N.J.-based EDIMS, oversees the operation of 21 emergency departments in the greater New York area and understands the gravity of protecting patient information. At the same time, he doesn’t want a greater emphasis on security coming at the expense of patient care.

“We’re all for tightening security, but the flip side is that the tighter it is, the more it inhibits workflow,” he said. “Our clinicians need to be able to log on quickly and simply.”

The EDIMS information management system has full functioning components for the company’s 300 physicians. The ED outsourcing company has applied for Certification Commission for Health Information Technology (CCHIT) certification, which includes security demonstration. Yet Iomazzo is concerned about the 28 quality measures associated with the meaningful use designation, calling it a Catch-22.

“With all the information flowing from hospitals to physician clinics to the feds, how do you ensure that patient information is protected,” he said. “You have to be certified for meaningful use, but we couldn’t meet those 28 quality measures right now.”

File vulnerabilities
PACS and other high-density attachments too large for traditional e-mails are becoming more commonplace and present an ever-growing security challenge, says Paula Skokowski, chief marketing officer for Palo Alto, Calif.-based Accellion.

“In the past two years, issues of security and compliance are coming to the forefront,” she said. “Healthcare organizations are now much more cognizant of securing sensitive information. HIPAA has definitely raised awareness of the need to protect patient information and test results.”

Together with Waltham, Mass.-based Fidelis, Accellion has developed a management tool designed to provide complete tracking and reporting – what Skokowski calls “the who, what, where and when” of file transfers ranging from five megabytes to 20 gigabytes.

“This is the audit trail that is needed for compliance,” she said.