Hospitals Must Ramp Up Breach DetectionLisa Gallagher of HIMSS urges "systematic" approach
Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments.
A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate.
As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resources are applied to security," she adds.
In addition, she notes that HIMSS advocates widespread use of data encryption as a "best practice."
HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. We are talking today with Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management System Society. Thanks for talking with us today Lisa.
LISA GALLAGHER: Thank you Howard. Happy to be here.
ANDERSON: A recent HIMSS survey determined that only about half of hospitals have a full-time chief information security officer. Was that a surprising result, and do you believe most hospitals should have someone in that full-time position?
GALLAGHER: I do find that result somewhat surprising. I would have thought that the number would have been a little bit higher, and I do feel that organizations should have someone in that role.
ANDERSON: The survey also showed most hospitals spend less than 3 percent of their IT budget on data security. Do you think that level of spending will grow in the years ahead as more hospitals automate more clinical data?
GALLAGHER: To me, Howard, this is one of the most significant results from the survey. When I testified at the federal HIT Standards Committee meeting in November, I stated that this result was very concerning to me and it prompted me to portray the...results of this survey as a call to action to the industry. As we put more money into this sector for technology adoption, we should all collectively think about finding ways to ensure that adequate resources are applied to the security area.
So rather than just putting the onus directly on hospitals and even provider groups, what I wanted to say is the industry itself and those providing incentives need to take a broad look at how we can find ways to make sure that adequate resources get applied to security as we are adopting and implementing this technology.
ANDERSON: About 55 percent of those surveyed said that they conducted a risk analysis on an annual basis or every six months. Should all hospitals be conducting such an analysis annually or more frequently?
GALLAGHER: I believe that they should be conducting such an analysis at least annually. Remember that a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it. Also, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking that just came out on December 30.
So the point here is that with the laws and regulations that are currently on the books and recently being promulgated, risk analysis is really the basis of the security activities that they are expecting organizations to undertake.
ANDERSON: Only half of the hospitals in this survey said their organization has a plan in place now for responding to threats or incidents of a security breach. Do you expect most are working on such a plan now given the new federal data security breach notification requirements?
GALLAGHER: We didn't find a lot in the works in the survey, but I think that, as you mentioned, the new federal data security breach notification requirement may bring attention to that issue. That having been said, I think that an incident response plan is a much broader type of plan or process for the organization. It covers all activities that are put in place to detect and respond to a breach. One component of that, of course, is notifying who is affected, and we know now that this is not only a regulation but this is also good business practice.
But I still have some level of concern that organizations may be lacking a comprehensive incident response plan. So hopefully that breach notification law will bring attention to this area for healthcare organizations.
ANDERSON: Besides crafting a breach reporting plan, what other steps should hospitals be taking to prepare for complying with the new data breach notification rule, which will be enforced starting later in February?
GALLAGHER: Organizations really need to work within their own staff to be actively identifying breaches and compromises of patient data in a much more systematic way. In a related question, we asked those organizations that did conduct a risk analysis what was the best benefit of that process, and what they said was that they were able to find patient data at risk.
That having been said, if it is at risk and they know that, they need to monitor to make sure they catch when it actually is compromised. They need to be actively monitoring their networks, their logs and the integrity of the patient data that they have so they can detect breaches as soon as they happen and then notify those affected. There are lots of tools and methodologies available in the market to help them do that.
ANDERSON: The breach notification rule now also applies to business associates, partners of hospitals. How should hospitals be working with these vendors to help them prepare?
GALLAGHER: Well the rule requires that the business associates make their notification to the covered entity. So the covered entity that gave them the data or shared the data with them, they need to report the breach back to that covered entity. So therefore, the covered entity should be proactively discussing what that process is for the business associates to report to them. In fact, this process should already be in place as the regulation for breach notification reporting is already in effect.
ANDERSON: Under the breach notification rule, organizations that encrypt patient data don't have to report breaches because the data is assumed to be secure. Is HIMSS encouraging its members to make broader use of encryption as a result?
GALLAGHER: Yes I would say that HIMSS is encouraging that as a best practice. This is considered best practice in most industries, and I personally believe it should be implemented by healthcare organizations that have the resources to do it. And, it is clear that Congress meant to...motivate the industry to do that by including that as a safe harbor for the breach notification rule. So yes, we are encouraging the use of encryption.
ANDERSON: On December 30, new proposed standards for certifying electronic health records were unveiled as part of the broader EHR incentive payment program for Medicare and Medicaid. The criteria for certifying EHRs specifically require that the software must include encryption capability. Do most electronic records applications for hospitals already available include that required form of encryption?
GALLAGHER: Well Howard I can't actively characterize the number of applications that do or do not currently have encryption capability, but it is clear that due to the new requirement in the certification interim final rule that they are going to be required to have that capability in order to be certified EHRs for use in establishing meaningful use under the regulation. So it is clear that if that were a gap in functionality for products across the board, it is something that HHS meant to solve by putting that requirement in the certification requirements for EHRs.
ANDERSON: Do you have a feel for whether most hospitals encrypt their electronic records that are stored internally and don't move outside of the facility?
GALLAGHER: Well we actually asked that question in our survey and according to our respondents, 44 percent of the organizations surveyed currently encrypt data stored in the facility and we used the term "data at rest".
ANDERSON: So are you hopeful that that number will rise the next time you do the survey later this year?
GALLAGHER: Yes. We would...hope to see a rise in that year over year and we will be asking that question again.
ANDERSON: The EHR certification criteria proposal notes that those organizations that find encryption is "not reasonable an appropriate in its environment" can comply with the HIPAA security rule if they implement an equivalent alternative measure. Do you have a feel for what that might be?
GALLAGHER: Originally when HIPAA was promulgated there was a lot of concern that encryption would be cost-prohibitive for some healthcare organizations, especially smaller ones. (So) they are allowed to include the cost as a factor in the risk analysis. My best guess is that there are perhaps some policies and procedural controls that could be put in place as well as perhaps physical controls that could be utilized, but the organization would have to clearly show that those controls that they put in place at their organization as implemented would...add up to equivalent alternative measures. So that really is a very organization-specific and implementation-specific determination that they would have to defend if questioned as far as their overall compliance.
ANDERSON: The certification criteria require EHRs to offer some sort of access control mechanism but do not specify a standard. What kinds of access control do you think vendors of certified EHRs are likely to offer?
GALLAGHER: Well as you mentioned, HHS took a look at this issue again and determined that for next year's certification criteria they would require the access control capability but did not choose to adopt a specific standard for them to meet for access control. They stated that this is because they believe that the industry will continue to innovate at a very rapid pace in this area and that by the time that they specified a standard, better methods might be available than they could possibly specify on an annual basis.
I believe they will re-evaluate this over time. But they are really leaving it to the market to innovate with regard to access control mechanisms. They do state elsewhere in the regulation that at a minimum they are expected to be able to assign a unique user name and/or number for identifying and tracking the user identity and also have controls in place that permit only authorized users to access electronic health information. So that is a generic description of access control...and then the vendors would innovate and provide capabilities beyond that in the marketplace.
ANDERSON: As you mentioned earlier, the federal government on December 30 also issued proposed meaningful use criteria describing how hospitals and physicians can qualify for incentive payments for using electronic health records. The proposal states that to qualify for the first stage of incentive payments, hospitals and physicians need to "conduct or review a security risk analysis of certified EHR technology." Can you explain just what that means?
GALLAGHER: I think we (HIMSS) will probably submit some questions on that exact wording, but this is how I would interpret it for now. An organization should conduct a security risk analysis of their implemented EHR--how it is implemented in their environment--or procure a security risk analysis from a third party, such as a consultant, and then review those results and act on the recommendations from the risk analysis results to determine what changes or additions they might want to make to their security controls in that environment to address any risks that are uncovered during that analysis.
So, conduct one yourself or procure one from a third party, review the results and act on the recommendations. That would form the basis of your security work for your implementation for the first year.
HOWARD: Finally, do you have any other advice for hospitals on data security priorities for the year ahead?
GALLAGHER: I have two pieces of advice. Make sure that your security function in your organization is properly resourced. Make sure they have the appropriate knowledge, the appropriate staff and the appropriate budget to meet the requirements that are not only included in the regulation but are really coming out of the security risk analysis that you should be doing.
And then, make sure that your security activities move beyond just compliance activities to really implement an active security risk management process. We can see a pattern in regulatory and statutory provisions now, but they are really asking organizations to base everything they do in security in an ongoing and active security risk management process. So take a look at what your resources are and make sure you are practicing security risk management.
HOWARD: Thanks very much Lisa. We have been talking today with Lisa Gallagher of HIMS. This is Howard Anderson of the Information Security Media Group.