Building Security Awareness Among DocsThe key is explaining business risks
"If they have a breach, they could go out of business if they don't do things the right way," Tennant stresses.
But physician groups, unfortunately, have a lack of awareness about information security issues and HITECH Act compliance and a lack of funding for security programs, he adds.
"It's tough to convince smaller practices they have to take security seriously," Tennant says.
Risk assessment essential
The MGMA executive tells practices it's essential that they conduct a risk assessment, invest in technologies to address identified risks, develop a breach notification plan and train staff on security issues. Otherwise, he says, they run the risk of having their reputations ruined.
He also stresses the value of using encryption, especially for mobile devices. "Encrypting is cheaper than addressing a security breach," he notes.
To help educate physician groups, Tennant would like to see the Department of Health and Human Services give practices the opportunity to volunteer for security audits without sanctions. He says the Occupational Safety and Health Administration offers similar voluntary compliance audits. In a voluntary audit, "the government could look over the practice's security policies and procedure and give a report on how the practice can improve," he says.
Tennant also called on federal regulators to set standards for certifying Health Information Exchanges to help ensure they all use the same protocols and policies. This would ease the sharing of information while protecting security, he contends.
Tennant spoke in a panel May 12 at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by the HHS Office for Civil Rights and the National Institute of Standards and Technology.
Another panelist, Dan Rode, vice president for policy and government relations at the American Health Information Management Association, says clinical software vendors need to do a better job of educating their clients about security issues.
"And too many vendors are not adding security functions because of perceived lack of demand," he contends.
Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, says many business associates, such as banks and billing services, are unaware that under the HITECH Act, they now must comply with the HIPAA privacy and security rules. "We need to reach out to them and pull them into the tent," she says.
Gallagher also called on federal regulators to offer far more detailed HITECH guidance to healthcare organizations on such topics as security risk assessments, accounting for who has viewed electronic health records, breach detection and response, and securing wireless devices, among others.