New Audits by HHS Underscore Security Concerns on Arkansas Medical News Inc.

New Audits by HHS Underscore Security Concerns

By: SHARON H. FITZGERALD

Ann Peden points out that security standards are not finalized but infractions are still cited.

Keep It All in Perspective

If nothing else, they're one heck of a wake-up call.

That's the consensus of experts interviewed regarding two May audit reports chiding both the Office of the National Coordinator for Health Information Technology and the Office for Civil Rights. Both entities were called to task by the Health and Human Services' Inspector General's Office for not enforcing the HIPAA security rules and the security provisions encompassed in the subsequent HITECH portion of the federal stimulus bill. (In July 2009, the Office for Civil Rights replaced the Centers for Medicare and Medicaid Service as the overseer of HIPAA security rules.)

"To a large degree, I'm not surprised at the audit," said Bob Singleton, chief information security officer for The University of Mississippi Medical Center in Jackson. "The reason I say that is, for a number of years, we've gone with really minimal and almost a downplayed enforcement of the original HIPAA regulations as well as the subsequent HITECH additions." Singleton noted that the audits indicate that attention is shifting from just the privacy considerations of electronic health information to security provisions as well. "That's a big concern, and that should be an eye-opener for executives and senior leadership to begin looking more closely at how data is protected," he said.

The audits

Between August 2009 and March 2010, HHS conducted site visits and performed compliance audits at seven hospitals in California, Georgia, Illinois, Massachusetts, Missouri, New York and Texas. The audits examined technical safeguards such as those needed for wireless network security; physical access to electronic information systems and the facilities in which they are housed; and policies and procedures to protect the confidentiality, integrity and availability of ePHI (electronic protected health information).

HHS identified 151 vulnerabilities in the systems and controls intended to protect electronic records and categorized 124 of them as "high impact." The report said, "These vulnerabilities placed the confidentiality, integrity and availability of ePHI at risk. Outsiders or employees at some hospitals could have accessed, and at one hospital did access, systems and beneficiaries' personal data and performed unauthorized acts without the hospitals' knowledge." The study defined "high impact" vulnerabilities as those that:

may result in the highly costly loss of major tangible assets or resources;may significantly violate, harm or impede an organization's mission, reputation or interest; ormay result in human death or serious injury.

Yet, Ann Peden, PhD, professor and director of the University of Mississippi Health Informatics and Information Management program, said the audit reports were "more critical to the entities in government that are responsible for standards for information security than of the hospitals." She also noted that for many of the security infractions cited in the reports, there aren't established HIPAA or HITECH standards to guide providers working to ensure data protection. Many hospitals and other providers use the standards laid out by the National Institute of Standards and Technology, yet those have no direct tie to HIPAA or HITECH.

Lisa Morton, PhD, a colleague of Peden's, pointed out another wrinkle. "When the initial HIPAA security regulations came out, there were a number of regulations that were considered to be addressable rather than required. An addressable standard allows the facility to choose how it will address the regulation," explained Morton, UM assistant professor in the Department of Health Informatics and Information Management. She added, "What healthcare facilities have been challenged with is the expense of implementing a number of these requirements. So there's a balance between securing the data and spending the money on the equipment or the software applications that are required to secure the data. That's why healthcare organizations have not been as tight on security as the OIG would like to see."

Considering it's the job of the Office of the National Coordinator to encourage the adoption of electronic records, too many stringent and expensive security regulations may do just the opposite and discourage providers from making the electronic leap. In fact, David Blumenthal, who recently stepped down as the HIT national coordinator, made that point in a written response to the audits. "ONC has worked to strike the right balance between ensuring the security of health information among new adopters while not creating such an onerous burden of technical requirements that the primary adoption goal would fail to be achieved," he said.

The bigger picture

Thus, the challenges are many and varied, and there's no easy fix, according to William H. Stead, MD, associate vice chancellor for Health Affairs and chief strategy and information officer at Vanderbilt University Medical Center in Nashville. As a member of the President's Council of Advisors on Science and Technology, Stead co-chaired a working group established to help the Office of National Coordinator sort through the audit recommendations and craft its responses.

"They're taking it very seriously," Stead said of ONC. "What ONC is trying to do is secure the transactions as they're being exchanged, not going back and securing the base system. I think that is correct. It's a matter of picking your critical path, and I think they've done that quite well." He said to expect test beds in the next 18 to 24 months as ONC moves to address security issues.

Stead noted that while the audit reports brought to light legitimate concerns, he believes there are four issues that should be kept at the forefront as the nation moves toward further adoption of HIT and the information's protection. The first is that electronic information security is a challenge that's bigger than healthcare. "It's an all-industry problem because of the disconnect between how we're now using the technology and how the security techniques involved came into being in a very different time and place," Stead explained.

Second, "don't throw out the baby with the bathwater," Stead cautioned. "This frequently gets lost with the kind of statements in the OIG report. Yes, there are problems, but in fact, most of today's electronic health records are more secure than paper medical records."

Third, Stead said, enforcement should include punishment for those who break the law. "The punishments that are built into today's system are analogous to penalizing the bank that gets broken into, not penalizing the bank robber who does the bad thing," he said. Stead was appointed by former President George W. Bush to serve on the federal Commission on Systemic Interoperability, and that group established 14 recommendations to ensure electronic health records by 2014. Two of those recommendations concerned a legal approach to the problem. One was criminal sanctions for intentional privacy violations, and the second was strong consumer protection for individuals who are victims of unauthorized access or release of health information.

Finally, Stead acknowledged that the nation does need to transform its technical approach to securing information. "You would not stop what we have now and what we're doing now, which is largely a transaction-processing model of pushing information from one point to another point where it's needed," he explained. "You would leave that infrastructure in place, and you would put this new exchange infrastructure beside it a little bit like the Web sat beside all the things that preceded it." The idea would be to tag every piece of data with the patient's privacy preferences, so as the information moves through the system, the conditions under which it was released would remain with the data.

Stead had one more point to add: "Perfection isn't possible now. The places that have tried to get perfection, given today's technology, have actually locked things down to the point that they're not able to get the benefit of the technology."

Looks like walking the fine line will continue.