Importance of security risk assessments rise with advent of electronic health records

Millions available for hospitals that meet meaningful use requirements

A landmark study conducted by the Poneman Institute Reference shows that 70% of hospitals say that protecting patient data is not a top priority and 67% have less than two staff members dedicated to protection management.1

Hospitals and other covered entities have a new incentive to step up efforts to protect patient data and conduct annual security risk assessments now that meaningful use and incentive payments under the Health Information Technology for Economic and Clinical Health (HITECH) Act are available. The meaningful use regulations require organizations to conduct or review a security risk analysis and implement security updates as needed, along with correcting identified security deficiencies as part of their risk management process.

"People have ignored the need for a decent risk assessment and have chosen to accept the risk of a breach as less costly than the investment needed for thorough risk assessment," says Feisal Nanji, executive director of Techumen, a consulting firm focused on securing health care information. Incentive payments for meaningful use of electronic health records (EHRs) are significant and will make the risk assessment more important for organizations, he says.

"The incentive payments are a significant source of funds to offset the implementation of electronic health records, but to be eligible, your risk assessment must be based upon National Institute of Standards and Technology's [NIST] guidelines," says Nanji. The financial incentives for hospitals are based upon an initial base payment of $2 million, plus an amount per Medicare patient discharge for the year, with a four-year cap of $11 million. Physicians and other eligible professionals can receive incentive payments up to $18,000 per year with a maximum payout of $44,000.

The last day that hospitals can register and attest to receive an incentive payment for the federal fiscal year 2011 is Nov. 30, 2011, so there are a number of steps hospitals can take to be sure they are able to participate in the program, says Sandra E. Quilty, JD, attorney, Baudino Law Group, Des Moines, IA. "Larger hospital systems have the technical, legal, and operational support needed to comply with meaningful use requirements, but small or rural hospitals may find the regulations burdensome," she says.

The Department of Health and Human Services' Regional Extension Centers are designed to provide some of the technical assistance that critical access and rural hospitals need to convert from paper-based medical records to certified EHR technology, she says.

The security risk assessment should include all of the key players in implementing and ensuring the security of an EHR system, says Quilty. Information technology, compliance officers, clinical leaders, legal counsel, and key managers of departments that will use or support the system should be involved in identifying and evaluating potential security risks, she says.

An EHR system poses different security challenges than many information systems, says Nanji. While you can control the number of individuals who access different types of information throughout a hospital, electronic medical records must be easily accessed by a wide range of providers to ensure quality care, he explains. "This increases the opportunity for unauthorized access or use of information so the assessment must be thorough to identify and minimize risks," he adds.

Another issue that many hospitals need to address to ensure security on an ongoing basis is the identification of the right person to monitor the integrity of information systems, says Nanji. "In most hospitals, the chief information officer or someone who reports to the chief information officer is often the person designated to monitor the security of the system, even if he or she reports to a person who serves as the overall compliance officer," he says. This means that hospitals are asking an operations person, the CIO, to also monitor and ensure security — two tasks that may be at odds with each other, he says.

"As an operations manager, the CIO must meet budget restrictions and keep the information systems up and running efficiently," he points out. "As a security officer, the CIO may identify upgrades or enhancements to the system that may not be within budget parameters or will not be as convenient for system users," he says. In most cases, the CIO will make decisions that favor operations if the security risk is not deemed as important as the need for cost-efficiency, he adds.

"I always ask compliance officers if they are sure they are getting the information they need from their CIO," says Nanji. Enhanced criminal, civil, and monetary penalties that are in place with the passage of HITECH increase the importance of compliance officers getting the right information at the right time, he says. "A hospital governance structure that places responsibility for information security separately from information operations is the best approach," he says. "I also recommend that compliance officers be able to understand the information they need and to obtain advice from outside consultants if necessary," he adds.

The security risk assessment is only one part of the requirements for Phase I of the meaningful use of electronic health records, points out Quilty. The other requirements include the use of technology certified by the Centers for Medicare & Medicaid Services, core clinical measures that must be reported, basic requirements of the system including computerized physician order entry and e-prescribing, and patient communication capabilities. "Other phases of the meaningful use rule will expand upon these requirements and will be published in 2013 and 2015," she says.

Throughout all phases of electronic medical record implementation, security will continue to be important, says Nanji. "The security risk assessment is critical, but a hospital's responsibility doesn't end with the assessment. You must be prepared to identify your risk and explain how you will address the risks on an ongoing basis."


1. Poneman Institute, Benchmark Study on Patient Privacy and Data Security 2010. Traverse City, MI.

[For more information about security risk assessment for meaningful use, contact:

Feisal Nanji, Executive Director, Techumen. E-mail:

Sandra Quilty, JD, Attorney, Baudino Law Group, 2600 Grand Avenue, Suite 300, Des Moines, IA 50312. Phone: (515) 282-1010. Fax: (515) 282-1066. E-mail:]