Instead, new security standards “must have an overriding ‘risk-based exception' to allow for the large variance in threat, risk, exposure, business models, data models and for inevitable change.”
The HIT Standards Committee and its companion, the HIT Policy Committee, were created by Congress in February as part of the healthcare IT provisions of the American Recovery and Reinvestment Act of 2009. Both committees are to offer advice to the HHS' Office of the National Coordinator for Health Information Technology on health IT issues.
With better collection and standardization, “we could build massively high-value data collections that could be expected to yield unparalleled advances in both care effectiveness and efficiency,” Tippett wrote. “We can collectively taste the possibilities.”
But, adoption of “practical” electronic record systems and “effectively addressing both the perceived and real privacy and security problems” remain as the “two biggest challenges.” Incidences of record breaches “have grown every year during this decade,” Tippett wrote, with the most recent Verizon Breach Data Investigations Report, based solely on investigations by Verizon, reporting the breach of 285 million records, including, but not exclusively limited to, healthcare records.
But current security measures are not based on objective evidence, Tippett said. Encryption of data at rest in a database, for example, typically provides “no value” against a large majority of hacking and malicious code threats, and “end-user devices like PCs, laptops and PDAs” are “orders of magnitude less important targets in the real world than is perceived (and databases are several orders of magnitude more important than end-user devices).”
Tippett makes this assertion notwithstanding one of the largest data breaches in U.S. history involved a laptop stolen from the home of a Veterans Affairs Department employee loaded with 26 million veterans' records.
In his oral testimony, Tippett also called for a nonpublic reporting system for security breaches modeled after the one used by the airline industry, but officials should design the system's parameters “to make sure they have some meat behind them.”
Tippett said when a pilot makes a mistake, if he or she fills out a form and sends it within 10 days to the National Aeronautics and Space Administration, they “cannot be prosecuted unless you cause an accident or did it intentionally.”
The healthcare industry could use the data from a similar reporting mechanism through a neutral third party to identify security problems and correct them as well as to modify security standards over time, Tippett said.
In 2007, Verizon purchased Cybertrust, a data security company, which Tippett described as the largest computer security firm in the world.
Security and privacy have been pushed to the front burner in recent months as part of the ongoing discussion over a national health information technology program.
The security rule under the Health Insurance Portability and Accountability Act of 1996 went into effect in 2005 and the enforcement deadline for the companion privacy rule was passed in 2003, but the Bush administration issued no civil penalties for violations of either rule despite fielding more than 40,000 privacy and security complaints.
In July, the Obama administration consolidated privacy and security enforcement authority into one agency, the Office for Civil Rights at HHS, and in August HHS released a controversial interim final rule on the new federal breach-notification requirements included among the various IT provisions in the American Recovery and Reinvestment Act of 2009.
The rule, however, generated bipartisan ire in key congressional leaders as well as wrath among privacy advocates by inserting language in the rule allowing organizations that have breached patient data to perform risk analysis and calculate the relative harm of the breach, giving them an out from otherwise complying with the law's breach-notification provisions.
Several organizations in recent months have issued surveys and reports on data security and privacy issues, all showing that inadequate security, in particular, is a growing problem.
Earlier this week, HIMSS Analytics, the market research arm of the Healthcare Information and Management Systems Society, released its own survey of healthcare IT security professionals and concluded that a large percentage of them reported their organizations may not be ready to meet the more stringent security standards under the stimulus law.
Lisa Gallagher, senior director of privacy and security at HIMSS, testified before the HIT Standards Committee meeting about the study, conducted between August and early October, which incorporated responses from 196 information security professionals across a wide range of healthcare organizations.
While three-quarters of the respondents said their organizations conducted formal risk analysis, one-quarter did not, according to Gallagher, but among the organizations that did a formal risk assessment, three-fourths of those respondents found that patient data was at risk because of inadequate security controls.
A majority of all respondents, 60%, reported their organizations spent less than 3% of their IT budgets on security, a number that remained flat compared with last year's survey, Gallagher said. Sixty-seven percent of organizations surveyed encrypt data when it is moved, but just 44% encrypt it when it is stored and just 25%have set up some form of electronic monitoring of the audit logs of their computer systems.
Half don't have a plan in place for a security breach, Gallagher said, and 61% of those who don't say they don't have any plans to get one.
“Organizations are facing increasing challenges with the adoption of EHRs,” Gallagher said. “The level and amount of resources that they are able to apply are relatively flat, so they're required to do a lot with little.”
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.