Health Info Security: Top 2011 TrendsSecuring EHRs, Social Media Policies Are Key
Four leading health information security experts size up the top trends for 2011 as:
- Taking the necessary security steps to qualify for the HITECH EHR incentives.
- Creating policies to prevent privacy violations stemming from the use of social media;
- Implementing technologies to make sure mobile devices are secure.
- Developing privacy and security policies for emerging business models, including health information exchange.
Qualifying for EHR IncentivesAs much as $27 billion in EHR incentives will be available from Medicare and Medicaid starting in 2011, thanks to the HITECH Act. As a result, executives at hospitals and physician groups are taking steps to make sure they can demonstrate they are "meaningful users" of EHRs so they can qualify.
The only security requirement for meaningful use is to conduct a risk assessment and then mitigate all risks identified. Although this has been required under HIPAA for years, the billions of dollars in HITECH incentives are proving to be a more powerful source of motivation.
To be certified for the incentive program, EHR software must include a long list of security functions, including encryption and authentication. But the HITECH rules don't explicitly spell out what security functions must actually be used. As a result, hospitals and clinics will "have a greater need for guidance on how to configure and use the security features that are incorporated into those EHRs to support HIPAA compliance," says Dixie Baker. The security specialist, who's an adviser to federal regulators, is senior vice president and chief technology officer for health and life sciences at Science Applications International Corp.
Social Media Privacy RisksAs more healthcare organizations use social media -- and more of their employees use social networks on their own -- new privacy risks are becoming a source of greater concern.
"An increasing number of healthcare organizations are embracing social networking as a marketing tool," says Kate Borten, president of The Marblehead Group. "That can be risky unless proper policies and guidelines are first established."
Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, says many HIMSS members are grappling with how to cope with the surge in social media use. "Health care organizations are wondering how they can control use of social media to ensure that no sensitive information is published and nothing is done that would damage the reputation of their organization," Gallagher says.
Unfortunately, most organizations have yet to craft a social media policy that spells out, for example, that no patient information should ever make its way onto social networks, Gallagher laments. That's why volunteers at HIMSS are developing a whitepaper offering advice on assessing the risks involved in social media and developing appropriate mitigation strategies. The report will be available early in the new year.
"Social media policies need to include not only the use of social media sites while at work, but also when away from work," says Rebecca Herold, owner of Rebecca Herold & Associates. "For example, policies should indicate the types of business information that personnel should never post to social media sites and should clearly indicate the types of monitoring the organization does to find inappropriate listings."
Protecting Mobile DevicesAnother major trend for 2011 will be a ramping up of efforts to protect information on mobile devices and media. That's largely because so many of the major health information breaches reported so far, as required under the HITECH breach notification rule, involve the theft or loss of these devices.
"The most immediate issue for most healthcare organizations is encrypting laptops," Borten says. "Getting less attention, but still important, is the issue of encrypting backup tapes and disks stored offsite.
"But once laptops and backups are encrypted, the harder challenge is securing other portable devices and media, such as smart phones and USB drives. I see this as the next major challenge, and I believe it will be the major pain point for years to come."
Gallagher stresses that healthcare organizations need to educate their staffs about the risks involved in using portable devices in light of the highly publicized breach incidents.
Although using encryption and authentication to improve the security of mobile devices and media is important, "too many organizations depend upon technologies alone," Herold points out. She stresses that they must also create and enforce mobile computing policies, procedures and standards and provide ongoing training to ensure all staff members follow the guidelines. In establishing policies, some organizations are considering banning the storage of patient information on mobile devices.
Health Information ExchangesAnother important trend for 2011, Baker says, is "privacy and security policy and governance to address emerging business models." This includes health information exchanges, personal health records and cloud computing, among others, she says.
When a hospital joins a regional or statewide health information exchange, senior leaders must understand their obligations for keeping shared data private, Gallagher stresses.
Another key issue, she adds, is taking adequate steps to obtain patient consent for exchanging data, as outlined in recent recommendations from a privacy and security tiger team advising regulators.
Health InternetIn addition to these four key trends, the security experts highlighted other hot topics for 2011 and beyond. For example, Baker predicts the emergence of what she calls a "Health Internet."
"It will provide security, privacy, transparency and choice around the exchange of health information, both among healthcare entities and between healthcare organizations and consumers."
The Nationwide Health Information Network standards, and related Direct Project standards, will help pave the way for information exchange among organizations from coast-to-coast, Baker says. But she envisions a Health Internet that will use those standards plus ease exchange of information with consumers as well.
Cloud ComputingHerold envisions more organizations moving to cloud computing and outsourcing for certain information security and IT functions because of a lack of expertise to get the job done on their own.
She also anticipates federal authorities will get serious about ramping up enforcement of HIPAA and HITECH compliance in the year ahead, leading more organizations to make breach prevention an even higher priority.
And Baker expresses hope for one other significant trend in the months to come. "I would like to see a shift in perspective about security protections from viewing security as a compliance issue to realizing its role as an essential enabler for safe, reliable healthcare and trust in the healthcare system."