If Chris DeVoney hustles, he can stay one step ahead of the hackers he fears are going to steal patient records. But he doesnt dare rest. He is the computing director at the clinical research center of the University of Washington Medical Center. In the past year, he has patched and installed software firewalls on 50 to 100 disparate medical devices—everything from computers to printers to FDA-approved devices that require bridging firewalls because no software can be loaded onto them.
Last month, he cleaned up after an attack by the Witty worm, which rewrote hard drives on 80 or so computers. The week before that, a notebook computer was hacked as it tracked data emanating from sensors attached to a subject who was sleeping as part of a research project. The campus had to “cut the hacker out” by turning off Internet access to the notebook so the study could be finished, says DeVoney.
The research center depends on the universitys technology infrastructure, and government budget cycles make it hard for the university to buy what it needs when its needed. Right now, for example, DeVoney has no perimeter firewall. Nevertheless, in April 2005, the Medical Center and thousands of other healthcare organizations will have to comply with regulations to protect the electronic security of patients records—records that keep track of their physical or mental conditions, their treatments and their healthcare insurance and payments. Violations can incur civil penalties of up to $25,000 per infraction per year, and criminal penalties of up to $250,000 in fines and 10 years in prison. (Very small organizations have an extra year to comply).
The regulations cover security in 18 areas, divided among three broad categories: administrative policies, such as who can update records; physical safeguards, such as access controls; and technical systems, such as firewalls, used to protect patient records. Organizations must specify who has access to what information, how computers are safeguarded, and how security breaches are handled.
Institutions, for instance, will have to track every time a patient record is transferred electronically, by any means—or medium. In other words, a hospital will have to document not only when information is transferred from one departments electronic files to anothers, online, but also when and how the data is moved on foot, using a magnetic tape, disk or other physical medium. In addition, the hospital will have to specify what kind of card readers or other devices are installed, to make sure only authorized workers can get to workstations or servers. They must even specify how devices or disks are checked out from work areas.
The regulations are part of HIPAA—the Health Insurance Portability and Accountability Act passed in 1996—and are just the latest in a series of rules the law will generate for years to come. But the cost of complying—ranging from $20,000 to $1 million for security alone, according to Jon Bogen, founder of West Chester, Pa.-based HealthCIO—is being borne by the organizations themselves.
Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:
Security Regulations Are Not
Always Clear”> Healthcare institutions have been treading the road toward HIPAA compliance for years. The financial costs are not the only reason. One big challenge for CIOs on security is that the regulations are not always clear, according to healthcare consultants, because technology by itself will never make organizations secure. For example, password-protected access to patient records is worthless if a healthcare worker forgets to log out before she walks away from the computer and the screen doesnt go blank.
“If everybody had it to do over again and get the rules out in a reasonable fashion, it wouldnt be like this,” says John R. Christiansen, a director at accounting firm PricewaterhouseCoopers.
Some organizations, such as El Camino Hospital in Mountain View, Calif., are already compliant. But that hospital, a not-for-profit district hospital located in Silicon Valley, has both the money and the technical expertise to handle HIPAA, claims chief technology officer Joe Wagner. The hospital spends 4.7% of its operating budget on information technology compared to an industry average of about 3%, says Wagner, an engineer whose last job was designing transportation systems. Wagner says hospital technology leaders lack corporate experience in areas such as banking or engineering or manufacturing—areas that would teach them to improve security, boost productivity and cut costs within the confines of a tight budget, which is what they have to do. As a general rule, hospitals are focused on delivering healthcare, not using technology to improve business processes and turn a profit, Wagner says.
Even so, slightly more than half of medical organizations expect to comply with the security regulations by the beginning of 2005, according to a survey conducted by the Healthcare Information and Management Systems Society in winter 2004.
One consultant says some of his clients are still looking for their electronic information. According to Steven Weil, a senior security consultant with Seitel Leeds & Associates in Seattle, Wash., technology executives dont necessarily know whats happening to their protected health information—whether it is being copied onto CD-ROMs, for example, or e-mailed outside the institution. “Hospitals can sometimes have very small technical staffs of caring people rushing around all day,” Weil says.
And some institutions are still figuring out exactly how they conduct business. John Stewart, an artist in San Jose, Calif., broke his leg recently, but missed his first appointment for surgery at the county hospital, Santa Clara Valley Medical Center, because nobody told him about it. Whether the hospital misplaced his records or the Post Office failed to deliver his notification or the battery ran down on his cell phone, Stewart isnt sure.
ZIFFPAGE TITLEEvery System Must Be
Individually Tailored”> But John Quinn, the chief technology officer for Cap Gemini Ernst & Young Health Consulting, says hospitals misplace patient records “all the time.”
As Quinn sees it, “Thats an argument for having electronic records.” But while HIPAA ultimately will drive the need for such records, neither the medical nor technical standards required to exchange them exist today. Indeed, Quinn says, one fear among his clients is that electronic health records will become mandatory, a prospect raised by President Bush in his State of the Union address in January. One of Quinns clients, a 21-hospital network, spent $300 million on a system for such records. Quinn adds that every system must be individually tailored because “nobody practices medicine in the same way.”
The Department of Health and Human Services spent several months rewriting the security regulations to try to make them more flexible and more practical, a reflection of the Bush administrations more business-friendly spirit. Healthcare organizations can decide not to meet certain requirements and document their reasons why. Weil, however, warns clients to err on the side of caution—he says he would never tell a client not to test a disaster-recovery plan, even though the regulations seem to suggest that option. “Even if [thats] only addressable, I would tell the customer, do it,” he says.
Meanwhile, the government is already enforcing the regulations on privacy—which protect patient information in all formats, electronic or not—and the regulations on conducting transactions, which HIPAA is trying to standardize and which affect functions such as billing. Christiansen says the latter regulations require technology upgrades and that the government is currently required to enforce them by “holding its nose and muddling through.”
Even some executives feel overwhelmed when they look at the 18 areas for security compliance that they have to address, HealthCIOs Bogen says. How will they find the time to document computer logs so they know if a breach has occurred? If there is a breach, how do they have to respond? At the clinical research center in Washington, an attack by the Blaster worm last summer drained the research budget for several medical-school projects. So the University hired contractors who spent weeks making sure that all systems were clean. “When you see these viruses take over things, theres the impact no ones been talking about,” DeVoney says.
But information on how to comply with HIPAA is there for those who search—Christiansen, for example, recommends professional liability insurers. And more tools to help with compliance are coming. Bogen is part of one group working with URAC—a Washington, D.C.-based non-profit focused on healthcare quality—that is customizing freely available tools so healthcare organizations can get going on their risk assessments. The tools are due later this month, and are expected to precede by a few months tools coming from the Commerce Departments National Institute of Standards and Technology.
In the end, though, technology, although critical, is only a small part of compliance—Weil estimates as little as 10%. So these consultants warn healthcare organizations not to be fooled by vendors claiming “HIPAA-compliant” products.
What You Should Do
To Meet HIPAA”>
What You Should Do To
MEET HIPAA SECURITY REQUIREMENTS
ASSESS YOUR RISKS.
Get help to see where your network is vulnerable—physically, administratively and technically.
WRITE A SECURITY POLICY.
Who has access to what information? Should all employees be allowed to see autopsy reports?
CREATE OFFICE TO MANAGE PROJECTS.
Designate a person to keep track of compliance and its costs.
DOCUMENT PROCESSES.
Figuring out the steps will help you find compliance holes. Itll also help you explain your actions in case you get sued.
Sources: Steven Weil of Seitel Leeds & Associates, Jon Bogen of HealthCIO.