Compliance, Security and the Implementation of EHRs

For many health care organizations, the push toward implementation of electronic health records has been relentless. The reason for this is obvious—in 2009, the U.S. Congress passed the American Recovery and Reinvestment Act, which calls for a Nationwide Health Information Network (NHIN) wherein all medical records will be in electronic health record (EHR) format and conform to nationally recognized standards. This change is being implemented not only to streamline, standardize, and ensure the interoperability of such patient information, but many believe this transition is also a key element to improving patient outcomes and making health care more effective and affordable.

Yet many also believe that, unless and until privacy and security issues that have plagued the implementation of EHRs are fully addressed, patients as well as providers may have little confidence in the system. Privacy and security experts have sounded the alarms regarding the dangers posed by this new system, dangers that will have to be addressed if the health care industry as a whole expects end-users to fully buy in to this transition.

Despite these frequently cited concerns, a recent PricewaterhouseCoopers survey found that organizations implementing EHRs may not be focusing enough on the privacy and security of patient data. Respondents to the survey overwhelmingly indicated their intent to utilize electronic patient health data (74 percent), but only 47 percent said they were addressing privacy and security issues.

Additionally, slightly more than half responded that their organizations had experienced at least some type of data breach within the past two years. The most frequently cited issue? Improper use by an internal employee. Forty percent of respondents indicated their facilities had an incident where an employee had improperly used or accessed protected health information (PHI). Business associates (BAs) represented another large security gap for respondents. While most organizations did require a BA agreement, only 38 percent said they utilized some form of pre-contract assessment of security controls.

An Ongoing Problem

The results of the PwC survey are not surprising. When Kroll Inc. released its 2010 HIMSS Analytics Report: Security of Patient Data last April, the results were quite similar. For instance, nearly two-thirds of respondents in the HIMSS study indicated that the source of their breach was unauthorized access to information by an employee. This was most closely followed by the wrongful access of paper-based patient information (32 percent). And despite assertions that recent regulations surrounding BAs have made vetting them more difficult, last year’s study indicated that, even at that time, respondents did not properly audit third party security systems or methods. Nearly 40 percent did not require proof that their third parties trained employees, and half did not require proof of employee background checks.

One of the reasons that the gaps exist, as indicated in the HIMSS study, is that health care entities persist in using a “checklist” mentality when it comes to security—the thought process, it would appear, is that compliance equals security. Yet, this mentality shifts the focus from security IT controls to data breach and incident response. Hospitals unknowingly turn a blind eye to the vulnerabilities that caused the breach in the first place.

The EHR Wrinkle

If health care organizations already had the checklist mentality, then the adoption of EHRs only complicates the issue. The transition to an electronic, interoperable system must meet national standards for meaningful use. This has been the focus, despite the fact that such a transition brings about new issues in data security, in physical security, and in patient privacy. Data is becoming more mobile than ever before, posing new risks and challenges.

In May of this year, the Department of Health and Human Services Office of the Inspector General (OIG) released two reports that indicated the critical need to focus more on IT security controls. The reports, Audit of Information Technology Security Included in Health Information Technology Standards and Nationwide Rollup Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, were critical of the HHS agencies entrusted with oversight, found significant IT vulnerabilities at audited hospitals, and lamented the lack of IT security controls within the HIT standards.

While the Nationwide Rollup report revealed some rather eye-opening security gaps at the seven hospitals that were audited, what’s particularly telling about the HIT Standards report is the OIG’s conclusion that security controls tended to focus on interoperability—that which was necessary to securely transmit data between systems. There was little to no focus on “general” IT security controls that would’ve prevented the infractions found in the audits, which included such elementary items as the sharing of user accounts and passwords, inadequate or nonexistent antivirus software, and unprotected wireless networks, to name a few. The recommendation was a broadened focus on security controls for HIT standards, as well as further guidance from the ONC on general IT security standards and best practices.

Moving Forward With Improved Data Security

What should be done to combat the issues of data security in this new age of EHRs? For starters, ditch the checklist mentality and start implementing holistic security controls now. A few things to consider:

• perform a risk assessment to identify security gaps;
• provide training for employees on proper handling of PHI and, specifically, ePHI;
• employ encryption on mobile devices;
• ensure software patches and antivirus are kept up-to-date; and
• maintain logs for your networks and key applications.

As for your BAs, while compliance requirements may be in a state of flux, best practice dictates that you employ a discovery process to determine security practices. Does the BA perform background checks on their employees? Will they submit to periodic security audits? What is their plan for incident response should a breach involve your ePHI? All of these are good questions to ask before a contract is signed.

Make no mistake, this is a daunting task. Even as the environment at health care facilities gets turned upside down with the implementation of new technologies, there will still be those individuals on your team who will say “but, we’ve always done it this way.” It will take a great deal of time and effort to implement changes that will be viewed by some, quite frankly, as a roadblock to progress. In the long run, however, it will be worth it for your facility, your team and, ultimately, your patients.