2011 Info Security Spending PrioritiesBreach Prevention, Compliance Driving Investments
"We're spending money to save money on dealing with breaches," says Richard Jankowski, information security officer at Memorial Sloan-Kettering Cancer Center in New York.
The federal spotlight on breach prevention means "we need to get more vigilant," notes Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind.
Across the country, hospitals are planning many critical information security steps for 2011, including:
- Expanding their use of encryption;
- Updating their risk assessments to pinpoint threats;
- Monitoring access to clinical information systems;
- Taking new steps to improve security for mobile devices;
- Implementing authentication technologies and secure messaging.
Health Information Security SpendingDespite the pressure to prevent breaches and comply with federal regulations, many hospitals faced with thin margins and tight budgets are finding it difficult to free up resources for information security. A recent Healthcare Information and Management Systems Society security survey determined, for the third year in a row, that roughly half of healthcare organizations spend 3 percent or less of their IT budgets on security.
"I'd love to hire a chief information security officer, but I can't justify the expense," Christian says. The 232-bed community hospital, however, recently gave security oversight responsibilities to its internal auditor.
Even at Memorial Sloan-Kettering Cancer Center, spending on security will grow only slightly in 2011, Jankowski says.
But at tiny Montgomery County Memorial Hospital in Red Oak, Iowa, spending on security will grow substantially in 2011 as it ramps up efforts to address security risks, says Ron Kloewer, CIO. The 25-bed critical access hospital will spend 20 percent of its IT capital budget on security in 2011, up from about 7 percent this year, he says. That's fueled, in large part, by HIPAA and HITECH Act compliance as the hospital prepares to apply for federal electronic health record incentive payments.
EncryptionWith more than 200 major health information breaches reported to federal authorities so far as a result of the HITECH Act breach notification rule, hospitals are now paying much closer attention to the potential high cost of dealing with breaches, Jankowski says. "It gives organizations a lot of justification for spending money on encryption."
Sloan-Kettering has encrypted all its laptops. In 2011, it will encrypt thumb drives as well as sensitive information in back-end databases as part of its ongoing breach prevention campaign, Jankowski explains.
Encryption is becoming a priority for even the nation's smallest hospitals. For example, Montgomery County Memorial Hospital plans to encrypt its backup tapes that are stored offsite. "This is a compliance issue, and we really need to address it," Kloewer says.
The rural hospital isn't encrypting desktops and laptops because it has a policy prohibiting storing any patient information on the devices, taking a thin client approach to accessing data stored only on servers, the CIO says.
Risk AssessmentsFor years, healthcare organizations have been required under HIPAA to conduct risk assessments. But now they have a timely, compelling reason to update these assessments. To qualify for HITECH Act financial incentives for using electronic health records, hospitals and physician groups must conduct a risk assessment and take appropriate action to mitigate risks.
Kloewer and Christian are both getting outside help with an updated risk analysis in hopes of improving security as well as qualifying for EHR incentives.
"We will hire a firm to do a very focused security audit for us to make sure we're doing everything we need to do," Christian says.
Montgomery County Memorial Hospital will get help from a regional extension center, which was created by the HITECH Act to assist smaller organizations that are migrating to EHRs. "They'll help us do a gap analysis" and pinpoint security issues to be addressed, Kloewer says.
Monitoring AccessAt Good Samaritan Hospital, two top information security priorities for 2011 are user provisioning and audit log aggregation. "We're making sure that we have good role-based access to our systems and that we have a way to audit who has access to what," Christian says.
To help prevent breaches, such as staff looking at records they're not authorized to see, the hospital is automating formerly manual user provisioning tasks. This will ease the effort to make sure staff members can access only the systems and records that they're pre-approved to use, based on their role.
The hospital has found it labor-intensive to conduct audits of records access because it has multiple audit logs that must be tracked. By aggregating the logs and more fully automating the audit process, Christian's team will get alerts when a potential incident involving unauthorized access occurs.
"Rather than doing a retrospective review of who's been looking, we want to know who is looking now," the CIO says.
Securing Mobile DevicesBecause of the explosive growth in the use of mobile devices, including smart phones and iPads, Memorial Sloan-Kettering is investigating better ways to monitor use and enforce policies that call for encryption and authentication, Jankowski says. Plus, it will install technology to remotely wipe out data on all brands and types of mobile devices if they're lost or stolen.
Across the country, more clinicians are using mobile devices and other technologies to gain remote access to electronic health records and other information in support of timely treatment decisions.
This is especially important at Shriners' Hospitals for Children, says Bill Bria, M.D., chief medical informatics officer. So in 2011, the 22 children's hospitals will expand use of two-factor authentication, using tokens, as more physicians take advantage of remote access, Bria says.
The Shriners hospitals also will continue to expand their use of secure messaging, especially for communication with referring physicians from around the globe, to help ensure the continuity of care, Bria adds.
A Balancing ActHospitals and clinics that are struggling to develop sound information security strategies face a difficult challenge, Christian says.
"For us in healthcare, it's always been a very delicate balance. How do we provide the right people with access to information but also make sure we're protecting patients' privacy?"
Security professionals and executives at hospitals and clinics of all sizes will be addressing that issue in 2011 as they expand their use of electronic health records and participate in health information exchanges.