Survey finds hospitals are vulnerable to problems from technical advances
Survey finds hospitals are vulnerable to problems from technical advances
Lack of policies and preparation for year 2000 is big problem
Times are rapidly changing in the technological world, and chances are your hospital is lagging behind. A survey conducted by a Chicago information technology law firm found that hospitals are not updating their computer systems and policies to keep pace with technical advances. Gordon & Glickson PC's nationwide survey of 1,600 hospitals found that more than 30% of respondents have not begun to develop a strategy to address critical programming updates. What's more, many hospitals don't have good patient information security measures in place or policies to govern the use of the Internet, e-mail, and laptop computers. (For the methodology of the survey and who responded, see box, p. 115.)
Here are some highlights from the survey:
r Year 2000 preparation.
Since many computers are programmed to handle two-digit date fields and not four-digit date fields, they are expected to have difficulty or even crash when they need to process year 2000 information. But not only have many hospitals yet to develop a plan for handling computer updates, only 11% have coordinated their efforts with their network partners.
"Hospitals with limited resources tend not to focus on updating their technology," says Christine R. Chase, an associate specializing in health care information technology for Gordon & Glickson. "Up to this point, that's a matter that has been on the back burner for a lot of them."
Respondents estimate that the cost to correct their systems range from $15,000 to $16 million. In addition, more than 40% of respondents do not anticipate completing their year 2000 corrections during 1998, even though year 2000 dates will most likely be entered into hospital computers in 1999, if not earlier.
When that time hits, no one really knows what will happen to those computers that have not been updated, Chase says. "It could mean that all the systems shut down. Or things we can't really guess right now. At a minimum, communicating electronically would be very difficult."
Hospitals that wait too long to hire someone to help with their systems may find the best consultants all booked up. "A problem that we're noticing as we get closer to the year 2000 is that a lot of companies have already announced that they are not taking on any more year 2000 consulting clients. It's going to get harder and harder to get qualified people."
"This year's survey figures are disturbing as some hospitals demonstrate complacency," says Diana J.P. McKenzie, a partner with Gordon & Glickson. "While there has been mild improvement since last year's survey, remaining hospitals need to rapidly move beyond the initial assessment phase and begin to initiate year 2000 conversions immediately; otherwise, they will face major shortages in qualified programmers, increased costs, failed systems, and ultimately, legal threats."
r Data mining.
The trend among hospitals has been to gather patient information and use it for other purposes, such as research. The survey found that one-third of respondents participate in some form of data-mining behavior.
While this technique often is used to improve patient care and perform outcome analysis, the survey revealed that 37% of respondents do not obtain patient consent for data-mining activities. The most common type of data being mined include clinical-encounter information and billing data, and the data are most commonly used for research and insurance purposes.
"The issue is that there is no set rule of when you have to get patient consent," Chase says. "Some hospitals aren't getting consent at all. Some get the consent prior to taking the information.
"Once you have that initial consent, you could continue to use the information," she continues. "One thing that hospitals are doing to get around some of the privacy issues with data mining is to `clean up' the information so there is no way to identify the patient from the information."
"Hospitals need to beware of the caveats associated with data-mining activities," McKenzie says. "Unless hospitals consider developing patient consent forms for the full spectrum of applications for the mined data, including research and insurance, they risk being held legally accountable for failure to protect patients' privacy."
r Internet use and misuse.
Although less than 10% of physicians and employees in hospitals have access to the World Wide Web, 38% of the respondents reported incidents of inappropriate Internet use. This represents a significant increase from last year's survey where only 21% reported such use. The most common abuses concerned accessing pornographic material and excessive personal use - conduct that can lead to serious practical and legal problems.
In addition, more than three-quarters of the respondents have a Web site, but only 12% of those maintaining sites post disclaimers to protect themselves against Internet-related legal exposure.
"Almost any business should consider having a disclaimer on its Web site," Chase says. If someone uses information from a hospital's Web site and gets injured, the hospital could be sued. Or if an employee posts information on the site that is defamatory or sexually harassing, the hospital could be held liable for that, too.
"On-line resources are invaluable as they provide employees with a variety of resources at their fingertips," says McKenzie. "However, hospitals need to realize that they should take precautionary measures to minimize the risks associated with Internet use and to protect themselves from a legal standpoint."
r E-mail and surfing monitoring.
Only 22% of respondents say they monitor the Web-surfing habits of their employees, and only 27% use Web-filtering tools. More than 90% of respondents say they do not monitor employee e-mail, which opens them up to legal risks.
The best strategy is to have a policy that says "e-mail here is for business purposes only, and the hospital has the right to monitor your usage," Chase says. "Then people don't have and can't really have an expectation of privacy. If they use e-mail for personal purposes, they are doing so at their own risk. I think that's the only thing you can do. You have to reserve the right to monitor in order to protect yourself."
r Information technology (IT) outsourcing.
While outsourcing continues to be a trend in hospitals, 26% of hospitals still do not outsource any IT function, a 3% increase from last year's survey response. Respondents who do not outsource IT functions believe that outsourcing is either too expensive or not the most cost-effective solution. Of the 74% of hospitals that do outsource technology services, 64% outsource equipment maintenance.
r Security measures.
Most hospitals use basic security measures such as passwords, written policies, anti-virus software, automatic log-offs, and training. Less than half, though, restrict the printing or copying of patient data. And while 86% reported limiting access based on job responsibilities, only 43% have the ability to track users' attempts to access data outside their job descriptions.
In addition, many hospitals have the capability to review audit-trail reports to uncover instances of improper access, but 37% of respondents say they fail to review the reports regularly.
Another security measure many hospitals fail to use is the prompt denial of access of terminated employees to computerized patient records. Almost 50% of respondents wait at least a day to deny access. One in 10 hospitals wait more than a week to do so, which can pose serious security threats.
r Patient access to medical records.
Nearly all hospitals currently have policies that allow patient access to their own medical records. Four percent say they actually "encourage" patient review.
Several bills have been introduced at the federal level to require that hospitals allow patients access to their medical records. The 6% of hospitals that say patients are not permitted to review their medical records may face legal difficulties.
r IT policies.
Although 92% of hospitals maintain overall formal IT confidentiality policies, several key areas frequently remain unaddressed. Only 20% of respondents have policies governing laptop-computer use and 32% have voice-mail policies in place. Other areas that lack policy coverage included Web surfing and cellular telephone usage.
[Editor's note: Gordon & Glickson PC's Fourth Annual Healthcare Technology Survey can be downloaded or ordered from the company's Web site. Access the site at: http://www.ggtech.com. Or call Gordon & Glickson at (312) 321-1700.]
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.