Building Public Trust in Secure EHRsBlumenthal, Cybersecurity Czar Working on Recommendations
As part of that collaboration, a governmentwide coordination council soon will make recommendations on healthcare security issues, said Blumenthal, the Department of Health and Human Services' national coordinator for health information technology. Councils are formed to work on interagency cybersecurity projects.
To build public trust in widespread use of electronic health records and the exchange of clinical information, as called for under the HITECH Act, will require building public confidence that healthcare information will remain secure, Blumenthal said Tuesday in his keynote address at the HIPAA Summit West in San Francisco.
The HITECH Act, among other things, provides funding for Medicare and Medicaid EHR incentive payments to physicians and hospitals as well as state grants to support development of health information exchanges.
Next Security Steps"We'll be examining where we need to go forward with new guidance, regulation or law to assure the public stays with us on this endeavor," Blumenthal said.
As part of that effort, federal officials also are reviewing the recommendations of a privacy and security tiger team regarding such issues as gaining patient consent to exchange their information, he noted.
Building public trust will require a "broad, deep national dialogue" on the issue of how to give patients control over their information, Blumenthal said. To initiate dialogue, Blumenthal's office will conduct "listening sessions" on privacy and security issues with consumers across the country, starting later this month.
"The public hopefully will conclude that the value of health information exchange greatly exceeds the risks to privacy ... as long as they trust that we are doing everything humanly possible to protect their information," Blumenthal said.
Addressing Breach ThreatsAlthough the public is primarily concerned that hackers might access their health information, the bigger threats, Blumenthal said, are from the careless practices of healthcare organizations. Most major breaches reported to the HHS Office for Civil Rights, he noted, have involved lost or stolen unencrypted laptops and other devices.
"The first thing we have to do is get the basics right," Blumenthal said. "For example, we have to make sure that laptops used by health professionals are automatically encrypted."
Responding to a question about variations in state privacy laws that might impede the exchange of data across state lines, Blumenthal suggested initial efforts should focus on "getting information flowing within states." Then communities, such as Boston, that would greatly benefit from exchanging data with those in other states could begin to work on addressing variations in state laws.
"There will be a political push to solve those problems in those states where there's a clear rationale to make state laws compatible," he said.