Work with federal information systems? Responsible for risk management, continuous monitoring, or FISMA compliance? Check out my book: FISMA and the Risk Management Framework.

Thursday, July 15, 2010

Consensus exists on importance of security and privacy in health IT; some offer rosy view on current state of technology

With all the focus over the last few weeks in the government health community on the publication of numerous proposed and final rules related to provisions in the Health Information Technology for Economic and Clinical Health (HITECH) Act, it's no surprise that public and private sector industry observers are focused on the impact of these rules for health care organizations, and particularly interested in progress made on health IT security and privacy. Strengthening security and, especially, privacy requirements for an ever more inclusive set of health care entities and their business partners, contractors, and service providers was a major area of emphasis under HITECH, and while there remains much to be done, the recent activity seems to make it more likely that more serious attention to HIPAA enforcement may soon become a reality.

The observers currently weighing in on health IT security and privacy include American Health Information Management Association (AHIMA) president Rita K. Bowen, who in an otherwise fairly well reasoned article appearing online in the Huffington Post yesterday somewhat surprisingly seems to argue that some concerns over security and privacy and electronic health records are overblown, and that security and privacy protections are actually very strong:
"The new generation of electronic health record (EHR) software systems are equipped with multiple security and privacy layers that make it virtually impossible to gain unauthorized access to any single patient record, and are less enticing to hackers than any paper-based record system out there. These same systems must also pass strict government-authorized certification standards that include a long checklist of criteria to ensure that they are compliant with existing HIPAA and security measures."
As well-intentioned as these statements might be, they rely on assumptions that are not well-supported by available evidence (including the steady stream of health data breaches now posted publicly by HHS) and therefore undermine the credibility of her overall argument. Bowen's comment about the strong user authorization controls may apply in some cases with some systems to prevent access by unauthorized external attackers, but very few systems provide the sort of fine-grained access control (or logging of read access to patient records) to keep health care insiders from gaining access to any records they want to see. It's also hard to see how paper file records even in a large practice or facility would provide as attractive a target for personal health data theft as the hundreds of thousands or millions of electronic health records that might be technically accessible through interoperable networks of health records and associated information.

The last point is the most misleading, as in the current health technology environment, vendors are not required to submit their products for testing or otherwise certify the existence or the effectiveness of their security measures, although the EHR system and module certification program under meaningful use is a small step in that direction. Compliance with HIPAA safeguards is mandated by law for HIPAA-covered entities (and soon, thanks to HITECH, for business associates and contractors and subcontractors as well), but actual compliance has been voluntary, with enforcement (in the form of HIPAA audits and, where violations are proven, penalties imposed on violators) limited to those entities about which complaints have been filed with the government. With any luck, the market opportunity for EHR vendors presented by meaningful use incentives will result in most or all of these products undergoing certification, but the certification process is only intended to demonstrate conformance with meaningful use standards and criteria, which fall far short of all the safeguards associated with the HIPAA Security Rule.

2 comments:

  1. I don't think that the HHS breach postings are useful to gage EHR or HIE security. The vast majority of the breaches are theft of laptops, memory-sticks, etc. Nothing an EHR or HIE can do much about.

    ReplyDelete
  2. No argument that most data breaches are due to poor data handling practices, including lots of human error. Some might suggest that the frequency of breaches suggests that not even fundamental security practices are being followed on a regular basis in many organizations, which doesn't instill a lot of confidence that these same organizations will be able to effectively use whatever security and privacy protections are in their EHR or HIE technology. Or that human errors and insider threats will render the technical security measures moot.

    ReplyDelete