Are Hospital Boards Clueless?Consultant sees lack of compliance awareness Hospital boards of directors are just beginning to realize the size and scope of the information security regulatory compliance tasks their organizations must complete, one consultant contends.
When consultants describe to board members the beefed-up HIPAA privacy and security rules under the HITECH Act, including new breach notification requirements, "you can see their eyes go wide," says Mitch Morris, M.D., who heads the health IT practice at Deloitte Consulting LLP, New York.
Because so many hospitals took a "best-of-breed" approach to acquiring applications, picking and choosing niche software from multiple vendors, their HITECH security compliance efforts are now more complex, Morris contends.
So hospital executives and board members alike are just beginning to realize they must assure security for what can amount to hundreds of applications that contain "protected" healthcare information as defined in the HITECH Act, he says.
"Some CIOs are not even aware of the total number of applications at the hospital that contain protected health information," Morris says.
To comply with HITECH, hospitals must take steps to ensure the security of applications ranging from dietary systems to financial systems, in addition to core clinical systems, Morris stresses. "And nobody has done all that yet."
Morris says his firm is "finding a lack of awareness of the depth of the challenge" in handling breach prevention and detection as well as broader risk management.
He called on hospitals to consider "simplifying their application environments" by standardizing on systems from fewer vendors and integrating them well. He argues that HITECH alone may be a catalyst for a movement away from the best-of-breed approach.
Morris also lamented the relatively rare use of encryption at healthcare organizations. "Most hospitals have not yet encrypted data on laptops," he asserted, in spite of highly publicized breaches involving the theft of portable devices.
A major problem in implementing encryption, the consultant says, is that many CIOs have no control over the procurement of laptops and other devices. As a result, employees may acquire computers from multiple sources and not install standard applications or encryption, he contends.
The IT department should take a lead role in the purchase of all computers and set enforceable standards for applications and encryption, Morris argues.
Morris made his comments March 2 in an interview at the HIMSS Conference in Atlanta.