News

IT Pros in Health Care Grapple with New Security Safeguards

• By Stephen Swoyer
• 12/01/2009

Health care providers are once again under the gun, struggling to ensure compliance with yet another set of information security and privacy safeguards. It's a familiar, if reactive, stance.

In the early part of the decade, health care shops found themselves in racing to comply with the security and electronic document interchange (EDI) provisions of the then-new Health Information Portability and Accountability Act (HIPAA). HIPAA proved to be so disruptive that Congress repeatedly extended HIPAA's EDI deadlines first through 2003, then on a "contingency basis" through 2005, giving IT organizations additional time to comply.

This time, health care IT professionals are grappling with the IT provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act, which Congress passed earlier this year as part of the Obama administration's omnibus economic stimulus package.

HITECH, scheduled to take effect in February 2010, extends HIPAA's information security and privacy provisions. HITECH has a decidedly toothy character: Among other changes, it updates HIPAA with additional enforcement, audit and penalty provisions. Organizations have ample incentive, then, to ensure compliance with HITECH mandates.

The rub is that a majority of shops -- more than half, according to researchers -- aren't sure they can comply with HITECH's new information security and privacy guidelines. For example, according to a survey of 77 U.S. health care organizations conducted by accounting firm Crowe Horwath LLP (at the behest of information security specialist The Ponemon Institute), just 47 percent of shops feel they have the resources or budget to comply with HITECH mandates. Overall, the survey found, 94 percent of shops say they aren't yet ready to comply with HITECH's privacy and security provisions.

Call it HIPAA redux. In fact, researchers say, one reason shops aren't yet ready to grapple with HITECH is that many aren't yet fully up to speed on HIPAA -- despite the fact that most HIPAA mandates are in effect.

The first round of HIPAA information management and security requirements kicked in at about the same time (2003 and 2004) when the United States was recovering from the dot-com implosion. The result was that IT organizations were understaffed and underfunded -- in some cases, drastically so -- just as they were racing to comply with HIPAA mandates. The same goes for HITECH.

"We believe that most organizations are not ready for HITECH as a result of compliance issues within their existing HIPAA programs," said Raj Chaudhary, a principal with Crowe Horwath's risk consulting group, in a statement. "Even though most organizations acknowledge that their HIPAA compliance programs are deficient, our survey found that implementing necessary controls or securing third-party assistance to help ensure compliance may be limited due to budgetary restraints."

Sponsorship is another problem: HIPAA garnered a great deal of press, thanks in part to its unprecedented enforcement provisions.

Although HITECH has plenty of teeth, management isn't on board. More than half (55 percent) of shops cited a lack of management support or sponsorship for HITECH compliance. "Our research consistently finds that a lack of budgetary and moral support from the executive suite is a common barrier to proper data security and management programs, even with the specter of regulatory enforcement looming," said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, in a prepared release.

Elsewhere, a lot of shops admitted to the likelihood of "significant gaps" in their privacy and security efforts. Nearly two-thirds (60 percent) acknowledged that they have only partially implemented risk-based programs to safeguard the privacy of protected health information. Similarly, half of organizations conceded that they probably aren't providing adequate training for privacy or security, while nearly half (45 percent) believe they haven't developed clear or effective policies governing the use or dissemination of protected health information.

Surprisingly, the Crowe Horwath/Ponemon survey found that almost all health care shops have experienced data breaches of some kind. Fully 90 percent of organizations said they have experienced a data breach that involved the loss, theft or misappropriation of at least one health record.