The Security Scrutinizer with Howard Anderson

Hospital Execs Reveal Security Concerns

Hospital Execs Reveal Security Concerns

About two dozen hospital executives gathered around a table at the American Health Information Management Association's 2010 Legal EHR Summit in Chicago Aug. 16 for a chat about their security concerns. Here's a sampling of what they had to say.

One hospital executive said her organization was struggling with how to determine what breaches must be reported. The HITECH Act breach notification interim final rule requires organizations to conduct a risk assessment to determine if a breach represents "significant risk." "And that has been a challenge," the executive said, pointing, in particular, to misdirected faxes.

We have doctors who have their own laptops with information on them from their previous practice. 

(Federal regulators recently withdrew a proposed final version of the breach notification rule for further consideration. We'll have to wait and see if they drop or fine-tune the "significant risk" language, which has proven to be quite controversial. Meanwhile, the interim final rule remains in effect.)

The moderator of the discussion, Kelly McLendon, president of Health Information Xperts, advised attendees to conduct audits of all fax numbers at least twice a year to make sure they're accurate. He also urged them to consider migrating from faxes to secure e-mail.

Another executive expressed concern about "secondary uses" of information in electronic health records, such as data stored in spreadsheets for reports. He said this information was difficult to detect, muchless protect.

Several attendees acknowledged concern about data stored on laptops and portable media, acknowledging the need to encrypt the information -- when you know about it. "We have doctors who have their own laptops with information on them from their previous practice," one executive lamented.

"We require permission from a senior vice president to store patient information on a laptop, and we encrypt all our laptops," another attendee added.

Several participants expressed concerns about doctors who call up their own records using an EHR system, creating the potential for a breach if, for example, they alter the content. "We created a policy offering doctors 'read-only' access to their own record," one executive said.

So what health information security concerns keep you awake at night?

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.