Hospital Execs Reveal Security Concerns
About two dozen hospital executives gathered around a table at the American Health Information Management Association's 2010 Legal EHR Summit in Chicago Aug. 16 for a chat about their security concerns. Here's a sampling of what they had to say.
One hospital executive said her organization was struggling with how to determine what breaches must be reported. The HITECH Act breach notification interim final rule requires organizations to conduct a risk assessment to determine if a breach represents "significant risk." "And that has been a challenge," the executive said, pointing, in particular, to misdirected faxes.
We have doctors who have their own laptops with information on them from their previous practice.
(Federal regulators recently withdrew a proposed final version of the breach notification rule for further consideration. We'll have to wait and see if they drop or fine-tune the "significant risk" language, which has proven to be quite controversial. Meanwhile, the interim final rule remains in effect.)
The moderator of the discussion, Kelly McLendon, president of Health Information Xperts, advised attendees to conduct audits of all fax numbers at least twice a year to make sure they're accurate. He also urged them to consider migrating from faxes to secure e-mail.
Another executive expressed concern about "secondary uses" of information in electronic health records, such as data stored in spreadsheets for reports. He said this information was difficult to detect, muchless protect.
Several attendees acknowledged concern about data stored on laptops and portable media, acknowledging the need to encrypt the information -- when you know about it. "We have doctors who have their own laptops with information on them from their previous practice," one executive lamented.
"We require permission from a senior vice president to store patient information on a laptop, and we encrypt all our laptops," another attendee added.
Several participants expressed concerns about doctors who call up their own records using an EHR system, creating the potential for a breach if, for example, they alter the content. "We created a policy offering doctors 'read-only' access to their own record," one executive said.
So what health information security concerns keep you awake at night?