Security issues can’t be ‘swept under the rug’
As heatlhcare IT systems get more sophisticated, so do their security challenges. And with stronger HIPAA privacy regulations in place, providers are being forced to make information security a much bigger priority, experts say.
“There wasn’t much enforcement of HIPAA before, but that is changing,” said Mark Ford, a partner in the healthcare providers practice for Deloitte Consulting in Ann Arbor, Mich. “The industry is looking really hard at meaningful use, security and privacy and it’s something they will have to deal with. What’s real now is with electronic medical records and how to maximize them to achieve these goals.”
The point of security and privacy from a meaningful use perspective is “that you know it’s there but don’t know how to deal with it,” said Ford, who reports “positive traction and movement in leveraging EMRs and pulling in opportunities that high tech can provide.”
Ken Rubin, vice president of Boston-based Iron Mountain’s digital records center for medical images, insists that the new HIPAA regulations, which now encompass provider business associates and promise strict compliance enforcement, are more than just rhetoric.
“They have raised the bar in enforcement,” he said. “There is now a mandatory security breach notification, which means it can’t be swept under the rug.”
Under the new HIPAA rules, provider business associates that come in contact with patient information are now being held to the same standards as providers, Rubin said.
“They have to demonstrate materially that they conform with the law, that they have the processes in place,” he said. “The implication for providers is that they need to be careful about who they are working with.”
For hospitals and health systems to ensure an appropriate level of security, data needs to be encrypted while at rest and in transit, retain the same level of integrity when stored as when it was created and is not susceptible to corruption, Rubin said.
“Providers need a system to migrate the data so it doesn’t get destroyed, lost or put in the wrong people’s hands,” he said.
While the protection of patient information is paramount, there are concerns in the academic community about being deprived of data that is critical for medical research, said Scott Morrison, chief technology officer for Vancouver, British Columbia-based Layer 7 Technologies.