Every IT department faces the challenge of having to apply limited resources (headcount, technology, 3rd party assessments) against a plethora of potential security risks. Choosing wisely is often the difference between an effective security strategy and an ineffective one. With that in mind and a number of possible assessment approaches available, what benefits can be gained from an internal penetration test?
One of the ONC’s key responsibilities is to provide strategic leadership to the public and private sector. Mandated under the HITECH Act of 2009, the ONC must publish and update its strategic plan for improving healthcare through the use of information technology.
The Federal Health IT Strategic Plan, 2011-2015, first released in draft form in March 2011, paints a rapidly evolving health IT landscape. It sets 5 overriding goals for “unlocking the vast promise of electronic health information to improve decision making, help individuals better manage their health, and improve the health system’s capacity for rapid learning.”
Making this plan public and in fact, inviting public comment, is helpful to the cause. It gives the ONC a vehicle to communicate priorities, solicit input, guide efforts and influence allocation of resources.
With the close of the public comment period today (5/6/2011) and in advance of next week’s NIST/OCR HIPAA Security Rule Conference in Washington, D.C., I felt this was an opportune time to publicly self-publish my public comments! Here goes:
The Blumenthal era smartly focused success around the concept of “meaningful use,” first as a measure of electronic health record (EHR) adoption and usage, and later as a rallying cry for IT health transformation in general.
Usage is, after all, tantamount to success. And the converse is also true. “No one knows how many computer-based applications designed at great cost of time and money are abandoned or expensively overhauled because they were unenthusiastically received by the intended users.” (“Power, Politics, and MIS Implementation,” M. Lynne Markus, M.I.T. June 1983)
This is a critical point. The draft Health IT Strategic Plan has, as its ultimate end-goal, improved patient outcomes. This goal cannot be achieved without widespread public adoption of EHR’s. But does the Strategic Plan do enough to address the potential pitfalls and impediments that could undermine EHR usage?
In my opinion, no. Security and privacy requirements must be made more prominent both in the plan and in practice, with more stringent, regular testing and reporting. Although security and privacy are one of the 5 primary goals of the Plan, the topic commands only 6 pages of the 80-page document (pp 29-35). Also by being listed as Goal number 3 out of 5, the implication is these critcial issues are third in priority or third in time sequence.
While perhaps an unintended impression, it still conveys the wrong message. Privacy and security are not simply goals; they are foundational to adoption and usage. Thus they are necessary conditions for achievement of all of the other 4 primary goals, and of any continued advancements of the health IT agenda.
Even the language used in describing “Goal III” is tepid (“stepping up protections,” “discussing major investment in education and outreach”). Notably absent are calls to action that inspire real commitment to regular monitoring and measuring, self-enforcement, and driving continuous improvement.
Perhaps the ONC believes that more stringent breach notification requirements and increased financial penalties will act as “an invisible economic hand” that guides healthcare providers to implement reasonable and appropriate measures to safeguard ePHI. But a fully comprehensive strategic plan must also include contingency planning – what if breaches continue to increase despite strict breach notification rules and more costly penalties?
And how does the ONC address the inherent incongruity of requiring public breach notifications for large incidents (500 records or more), while aiming to “inspire confidence and trust in health IT.” How can the health care industry combat the undermining of public trust by being forced to publicize its biggest failures? Personal notification for those impacted is an obvious necessity but is there a cumulative psychological impact to frequent breach PR’s, a repetitive stress injury to the ultimate goal if you will.
We suggest immediately elevating privacy and security to a higher plane. Rather than a goal, make it as foundational an element as meaningful use, the bedrock of the strategic plan. At Redspin, we suggest calling it “Meaningful Healthcare IT Security.” In fact, we’ve applied to trademark the tagline, not for any proprietary purpose, but to make a point. (We’ll gladly license its use to the ONC for free).
So what is “Meaningful Healthcare IT Security?” First, it’s an acknowledgement of the complex challenges healthcare organizations face in meeting the sophisticated levels of privacy and security necessary to protect the public. This will not simply materialize out of the “carrot and stick” approach of incentive payments and breach penalties. Second, privacy and security need to be understood as pre-conditions to meaningful use not just a “part of.”
Next, the “security risk analysis” identified as Core Measure 15 should be defined as more than compliance with the HIPAA security rule. Effective security is a process-driven cycle of regularly-scheduled assessments, validation, remediation, and reporting that delivers continuous and durable improvements in information security and helps develop a culture of security awareness within organizations.
We want to help meet the ONC’s ultimate goal of improving patient outcomes “by unlocking the vast promise of electronic health information.” But we don’t want to leave any doors unlocked that should be protecting privacy and security.