Tighten security on electronic data, panel tells information industry
Tighten security on electronic data, panel tells information industry
Recommendations listed for immediate’ use
The myriad of problems connected with confidentiality in electronic patient records have suddenly been moved to the front burner. After more than two years of study, the National Research Council in Washington, DC, has handed down recommendations on tightening the security of electronic data. But the 500-page report issued in March might best be seen as the linchpin for a national debate on balancing the health industry’s need for information with patients’ rights to privacy.
While the report doesn’t push the panic button, it does contain a sense of urgency by suggesting the recommendations be adopted immediately. In its conclusion, the panel that conducted the study said the health care industry is behind the times in automation security, both in terms of what it has done and the priority given to privacy issues.
"In the more advanced organizations, security practices do not match those widely found in other industries," it states. "And in less advanced organizations, even elementary security practices have not been implemented."
The panel also found that, "several major organizations have stifled the supply of advanced security features in health care information systems. Since health care organizations do not reward them for including security features in their products, vendors have limited incentives to offer them."
Organizations and confidentiality experts immediately lauded the report, both for its specific recommendations and for its big-picture message.
"This is an area where different organizations have markedly different priorities," says Jonathan Wald, MD, physician executive for the Cerner Corp. in Irvine, CA, and frequent lecturer on confidentiality issues related to technology. "The focus of a business office at an insurance company is far from the patient focus of a mental health facility, but this report recognizes that confidentiality can be compromised in both places."
"This is a very significant report," adds Adele A. Waller, JD, a Chicago-based consultant for hospital technology issues. "It clearly points out the need for one national standard for health information privacy that will apply to all the major players to deal in personal health information." While the recommendations contained in the report are important, its real value will be to stir up a broad debate over the use of patient information, she says.
The report also should cause some soul searching among hospitals, the experts say. It specifically shows that it’s time to re-examine policies relating to the patient’s right to privacy and health care workers’ need for information. The immediate need is to adopt or update your security plan, says Dale Miller, director of consulting services at Irongate, a San Rafael, CA, company that helps hospitals develop information security measures.
"Most organizations have policies on protecting information, but in many cases they haven’t assigned responsibility for that security. It’s just assumed to be assigned somewhere. But if you think of a typical security plan that assigns responsibility, provides a budget, and has some milestone tasks to be accomplished, that’s much more rare." (For recommendations on what should be included in a security plan, see related story, p. 69.)
An updated plan requires a risk assessment study. Here are the key elements:
• Get the support you need.
"Decide that you’re going to do it, and get senior management backing," Miller says. Support from your CEO is best but even better from your hospital’s board of directors. If the board requires an information security program, establishing one or updating the existing plan will keep the board’s lawyers happy. It shows that the hospital is taking steps to provide "due care," which is an important concept if someone sues because confidential information was released.
• Assign responsibility.
Formalize the process by putting someone in charge. Generally, this person will report to the CIO or CFO. "That is important only to the extent that it affects the access the person has to people who need to hear the message and know that the person has some clout," Miller says. Health information managers are excellent candidates because of their knowledge of both systems and release of information rules, he says.
• Assess where you are.
Chances are you have some policies, technical controls, and procedures already in place. Now’s the time to do an inventory to figure out exactly what you have, says Miller. This will show you where your shortcomings are.
The rapid changes in health care might leave you unprepared for potential risks, he adds. "Hospitals have reorganized, merged, brought in new systems, added buildings, acquired physician offices, and even added home care where you may have visiting nurses carrying [computers] and even paper records outside the hospital," Miller notes.
Once you’ve done your risk assessment, be prepared to keep doing it. Each technological advancement offers new opportunities but creates new threats to confidentiality, he notes.
Wald suggests you follow the "threat model" when performing your risk assessment. "There are people threats both internal and external. There are technology threats and threats related to the flow of information as it is handed off in the process of care or administrative processes, such as reimbursement or accreditation." The key is realizing that the potential problems you handle today will change as technology advances, which means your countermeasures will have to change. "You can’t totally eliminate threats, but you can manage them," he says.
• Beware of rising expectations.
As you move into electronic patient records, be aware that public expectations will change, cautions Wald. "Nobody would sue a hospital on the premise that [the patient’s] paper chart should have [recorded the names of] everyone who ever read it. Paper doesn’t record that information. But if the expectation with the computerization of charts is that it will record detailed information on everyone who looks at it, that raises the bar and sets a new expectation.
"Even organizations moving quickly into automation will face five to 10 years of hybrid records paper plus computer. One caution to groups automating rapidly is don’t advertise to your patients that now you can do all this detailed tracking of who accesses information, unless you truly can do it. You might be able to do it for a portion of your records, but you still can’t do it for the portion that’s on paper," Wald says .
The good news is that the technology already exists to accomplish all of the immediate recommendations of the National Research Council’s report, says Miller. (See related story outlining those recommendations, on right.)
Advancements are also close at hand that will greatly reduce the disbursement of sensitive patient information. In this new paradigm the information systems will provide hospital workers with the information they need and only that information rather than forcing them to seek it out and risk exposing sensitive information not critical to their task. "In that kind of environment, the system can be structured to give you what you need as a physical therapist, for instance, or what you need as the person who handles billing, and you won’t even see some of the sensitive information that doesn’t enter into your job," says Miller. "It’s possible now, and the better systems are moving in that direction."
Dale W. Miller, Director of Consulting Services, Irongate, 7 Mt. Lassen Drive, Suite C-126, San Rafael, CA 94903. Telephone: (415) 491-0910. Internet site: http://www.irongateinc.com.
Jonathan S. Wald, MD, MPH, Physician Executive, Cerner Corporation, 2603 Main St., Suite 700, Irvine, CA 92614. Telephone: (714) 250-1357, Ext. 6587. E-mail: [email protected].
Adele A. Waller, JD, 321 N. Clark St., Suite 3400, Chicago, IL 60610. Telephone: (312) 245-8507.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.