Got an Extra $2,500?

September 1, 2005

Steve Rebagliati, MD, on dealing with the high cost of HIPAA.

A few years ago, all the information technology products your practice used were compartmentalized in their own little self-contained bubbles; that made information security fairly simple. If someone wanted to steal your patients' information, they'd pretty much have to break into your office.

Alas, in the modern world of the Internet, electronic data interchange, and e-mail, information security is a priority.

Brian P. Kelly, CEO of 30-physician Women's Healthcare Associates, LLC, in Portland, Ore., told me about the biggest external and internal challenges to information security in today's litigious and regulated practice environment.

External challenges

Among the external challenges, the greatest is "working with other systems that are not HIPAA compliant." Like many practices, his group transmits physician dictations digitally to outside transcription vendors over phone lines. These are owned by a third party that is not a healthcare vendor. This creates contractual issues, and a concern for the physical security of tape backups.

The second is the vagueness of HIPAA security language. Help is available for a price from healthcare attorneys. Trade associations may provide some cheaper help. The Department of Health and Human Services estimates that the cost of HIPAA security compliance will be $ 3.2 billion in the first year and $17.6 billion over 10 years. That comes out to about $2,500 per physician per year.

The third is the volume of spyware and spam clogging physician mailboxes. Personally, I've tried just about every "off the shelf" solution. My short list of easy-to-use, easily updated desktop security tools are the McAfee virus scan product, the Zone Alarms firewall product, and the Spybot spyware scanner.

Internal challenges

When I asked Kelly to identify the three most important information security goals for the coming year, he listed HIPAA security procedure review, systems and vendor review, and implementing a training program.

The most important factor in accomplishing these goals is to have a sound understanding of where you stand right now in your information technology security tools and practices. How?

First, you can simply outsource to a third-party vendor to do the work for you. Fees vary depending on how complex your network is and retainers can run into the tens of thousands of dollars. It may be worth the peace of mind to do this.

Second, you can do a simple security audit yourself. A good faith effort will sometimes protect you from governmental scrutiny.

A third approach is a "black hat/white hat" analysis. You can hire outside vendors to do this for you for $30,000 or so, but you can do it yourself for a lot less. For more information, check out this link: www.infotechfordoctors.com/blackhat.html.

A "white hat" is an "ethical hacker" to whom you give permission to attack your network to find its information security flaws. Actual hackers are known as "black hats."

Black hats use a number of sophisticated methods to get what they want from you, and most doctors will have seen some examples of this:

  • Phishing, in which a hacker sends you an e-mail with the business logo of a trusted resource such as your bank. The message asks you to send personal information to "confirm" some aspect of your account. If you do this, the hacker will be able to access your money online.
  • Trojans are dormant viruses that hide out in your system until a certain condition triggers action. Such a Trojan might lurk unseen in your system registry, booting up every time you log on, and waiting for the right moment to attack, such as when you bring up the demographic information page on your electronic medical record.
  • Spyware is software that watches what you do, sometimes recording keystrokes and sending the information to another party.
  • Adware changes your home page or pops up annoying advertisements without your permission.

Questions? Ask me at www.infotechfordoctors.com. I can't promise a personal answer, but I will include the answer in future columns and white papers if it looks to be applicable to physician practices.

Steve Rebagliati, MD, MBA, is a practicing physician. He offers these resources, ideas, and tips for using information technology to increase revenues, decrease hassles, and free up time so physicians like you can succeed in a changing world. He can be reached at 503 534 3705 or techdoctor@rebelcor.com.

This article originally appeared in the September 2000 issue of Physicians Practice.