Are Hospital Boards Clueless?

Consultant sees lack of compliance awareness Hospital boards of directors are just beginning to realize the size and scope of the information security regulatory compliance tasks their organizations must complete, one consultant contends.

When consultants describe to board members the beefed-up HIPAA privacy and security rules under the HITECH Act, including new breach notification requirements, "you can see their eyes go wide," says Mitch Morris, M.D., who heads the health IT practice at Deloitte Consulting LLP, New York.

Best-of-breed woes
Because so many hospitals took a "best-of-breed" approach to acquiring applications, picking and choosing niche software from multiple vendors, their HITECH security compliance efforts are now more complex, Morris contends.

So hospital executives and board members alike are just beginning to realize they must assure security for what can amount to hundreds of applications that contain "protected" healthcare information as defined in the HITECH Act, he says.

"Some CIOs are not even aware of the total number of applications at the hospital that contain protected health information," Morris says.

To comply with HITECH, hospitals must take steps to ensure the security of applications ranging from dietary systems to financial systems, in addition to core clinical systems, Morris stresses. "And nobody has done all that yet."

Morris says his firm is "finding a lack of awareness of the depth of the challenge" in handling breach prevention and detection as well as broader risk management.

He called on hospitals to consider "simplifying their application environments" by standardizing on systems from fewer vendors and integrating them well. He argues that HITECH alone may be a catalyst for a movement away from the best-of-breed approach.

Morris also lamented the relatively rare use of encryption at healthcare organizations. "Most hospitals have not yet encrypted data on laptops," he asserted, in spite of highly publicized breaches involving the theft of portable devices.

A major problem in implementing encryption, the consultant says, is that many CIOs have no control over the procurement of laptops and other devices. As a result, employees may acquire computers from multiple sources and not install standard applications or encryption, he contends.

The IT department should take a lead role in the purchase of all computers and set enforceable standards for applications and encryption, Morris argues.

Morris made his comments March 2 in an interview at the HIMSS Conference in Atlanta.

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.