Four Top HITECH Tips
In an interview, Dixie Baker of SAIC advises hospitals and others to:
Baker is senior vice president and chief technology officer for health and life sciences at Science Applications International Corp., a McLean, Va.-based scientific, engineering and technology applications company.
The consultant has played a key role in the federal government's efforts to set policies and standards for healthcare data security. She chairs the privacy and security workgroup of the Health Information Technology Standards Committee. She's also a member of the full committee, as well as the privacy and security workgroup of the HIT Policy Committee.
These federal advisory bodies make recommendations to the Office of the National Coordinator for Health IT within the U.S. Department of Health and Human Services. The recommendations are used to create standards for electronic health records under the Medicare and Medicaid EHR incentive payment program, as funded under the American Recovery and Reinvestment Act.
Baker, who holds a PhD in education research and methodologies from University of Southern California, has been with SAIC since 1995.
HOWARD ANDERSON: This is Howard Anderson, managing editor at Information Security Media Group. We're talking today with Dixie Baker, senior vice president and chief technology officer for the health and life science business at Science Applications International Corp., or SAIC.
Dixie has played key roles in the federal government efforts to set policies and standards for health data security. She is a member of the Health Information Technology Standards Committee. She chairs the Privacy and Security Workgroup of the Standards Committee, and she's a member of the Privacy and Security Workgroup of the HIT Policy Committee.
Dixie, as someone who has been at the forefront of efforts to set standards for healthcare data security, what's the one most important piece of advice you give to organizations preparing for compliance with all the new regulations?
DIXIE BAKER: I would say recognize from the outset that adopting electronic health record technology is not going to be simple, cheap or painless even with the ARRA (American Recovery and Reinvestment Act) reimbursement. If people go into it thinking it's going to be easy because now they are going to get the reimbursement, they'll be disappointed.
And I think that they should also recognize that (implementing) EHRs may not save them time. It might take more time initially, but what they are doing is investing in a long-term benefit of making it easier for them to keep patients healthy and safe and to make their businesses run more efficiently. So, it's a longer-term investment than just the monetary investment that is reimbursed by ARRA.
ANDERSON: What steps should hospitals take to prepare for complying with the new data breach notification rule, which will be enforced starting later in February?
BAKER: Well first I think they should start by making sure they understand what a breach is. If you looked at the ARRA legislation you realized it's not simple to figure out exactly what a breach is. So I think it is really important they have a firm grasp of what is meant by breach and translate that into language that they can communicate within the organization well so that...everybody has a basic understanding of what a breach is.
Then, once they understand what they are really looking for, they should look for whether any information that they currently have unsecured could be encrypted because that is one way of protecting against breaches.
Third, they should then develop processes and governance for notifying individuals affected by breaches including breaches that are discovered and reported by their business associates. And then finally, they need to train everybody on how to avoid breaches to begin with, how to recognize a breach when they see it, and what to do if they suspect that a breach has occurred. And that needs to include the business associates.
ANDERSON: Under the breach notification rule, organizations that encrypt patient data don't have to report breaches because the data is assumed to be unreadable. So would you advise hospital to encrypt all data they transmit to others and data stored on portable devices as well?
BAKER: I would advise hospitals to encrypt all mobile devices that could be used to store or transmit PHI--protected health information or identifiable health information--and that are known to traverse exposed networks, or even if the possibility of their traversing unsecured wireless can't be ruled out...Today, information travels through air, so we really have to think not only where we have wired networks, but also where cellular and mobile and Wi-Fi transmissions could pick up information as well.
ANDERSON: What about information at rest, data stored in internal clinic databases. Many hospitals have yet to encrypt that data, citing the cost involved and concerns about performance issues. Is encrypting that data at rest practical?
BAKER: Well encrypting information these days is much more practical than it has been in the past when encryption did pose significant performance concerns. It really doesn't any more. So that is no longer a really big issue. But for databases that are physically and electronically secured in data centers, I think it is a risk management decision that every organization needs to make for themselves.
In other words, I don't think there should be a mandate that all databases containing PHI should be encrypted.
ANDERSON: On December 30, new proposed standards for certifying electronic health records were unveiled as part of the broader Medicare and Medicaid EHR incentive payment program. The criteria specifically required that EHR software must include encryption capability. Do most of the EHRs already available on the market include the required form of encryption, or will most of the vendors have to add that capability or enhance their existing encryption offerings?
BAKER: Well for the most part the standards and certification criteria that were adopted in the interim final rule are exactly those that our committee recommended, and we were very careful to recommend only those standards that we believed could be accommodated by the EHR industry by 2011. And we did take testimony from the public, including vendors.
We recommended that the advanced encryption standard, or AES, be used as the encryption standard. AES is the NIST-recommended standard...It is widely used today, and I believe it is very feasible and reasonable to require that.
ANDERSON: The EHR certification criteria proposal notes that those organizations that find encryption is "not reasonable and appropriate in its environment" can comply with the HIPPA security rule if they implement an equivalent alternative measure. Is that language intended for smaller organizations, and what might such an alternative measure be?
BAKER: The interim final rule says that an organization may elect not to use encryption if they deem that is not reasonable or appropriate for their environment. The IFR does not say that a vendor has the option not to provide the capability.
So in other words, the certification criterion is there and all products that are submitted for certification must be able to encrypt and decrypt information. This is a fundamental difference between certification and meaningful use. A product is certified to have a particular capability like encryption, but a meaningful use measure speaks to what an organization that uses that product needs to do--in this case, whether or not they need to encrypt information using that certified encryption capability.
ANDERSON: Having understood that distinction, what does that language here mean when it says an organization could choose an equivalent alternative measure. What might some of those measures be?
BAKER: Well that is a term that is taken right from HIPPA...(It means an organization has) to say "here is what I'm going to do instead." For example, if you have a database that is in a physically and electronically secured data center, that could be an acceptable alternative to encrypting all the data on it.
ANDERSON: The certification criteria require EHRs offer some sort of access control mechanism, but do not specify a standard because new technologies are constantly emerging in this arena. What's the best access control mechanism available now, and what kinds of improvements do you expect to emerge in the months to come?
BAKER: Well most EHR products today support role-based access control, and I think it is quite appropriate for most healthcare environments, even small practices, to use role-based access controls. In other words, the receptionist has particular accesses. whereas the nurse has other accesses and the physician has different access...The next improvement I expect to see in the access control arena is the ability to tag information with sensitivity labels, probably using XML...Some work is already being done in this arena even by HL7. Ultimately we'll be using XML to put sensitivity labels on information.
ANDERSON: Can you explain what you mean by a sensitivity label?
BAKER: Well, (a label indicating whether information is protected health information) for example; or whether it is identifiable health information or not identifiable, whether it's mental health information. You may even use XML tags to tag the individual's consent...We'll be seeing more use of XML...as consent starts being captured with the information, and as we start recognizing different segmented types of information.
ANDERSON: The federal government on December 30 also issued proposed meaningful use criteria describing how hospitals and physicians can qualify for incentive payments for using electronic health records. The proposal states that to qualify for stage one payments, hospitals and physicians need to conduct or review a security risk analysis of the certified EHR technology itself. Can you explain a little bit about what organizations need to do to comply with that requirement?
BAKER: Well they need to comply with HIPPA. The HIPPA security rule already requires that organizations conduct an annual risk assessment. But when they adopt EHR technology, it does introduce new risk that...wouldn't have been present before they adopted the technology.
So they do need to incorporate into their annual risk assessment that they were already required to do under HIPPA some of the risks that are associated with EHR technology. For example, if they do any prescribing over the internet, that introduces new risks...data loss and corruption...those kind of risks. So they need to incorporate new risks into the risk assessment.
ANDERSON: The attorney general of Connecticut recently filed a civil suit against an insurer in the state for security violations. Now that state attorneys general have this power under the HITECH Act and the federal Office of Civil Rights has enforcement power as well, and penalties are a lot tougher, do you think more organizations will finally be ramping up their data security efforts?
BAKER: Absolutely. Congress recognized that the HIPPA security and privacy rules have not been strictly enforced. In fact, my understanding is that prior to ARRA, no charges had ever been brought for HIPPA violations.
ARRA, or the stimulus bill, strengthens both the enforcement and the penalties, and it also brings the business associates into direct regulation by Health and Human Services. So yes, I expect both covered entities and business associates to ramp up their efforts to assure compliance.
ANDERSON: Thank you very much Dixie. We've been talking with Dixie Baker of SAIC. This is Howard Anderson of the Information Security Media Group.