Physicians, Experts Make the Case for Secure Data Exchange at HIMSS13

March 5, 2013
Marisa Torrieri

Sharing data can help streamline patient care. But many physicians are hesitant given the obstacles and potential consequences of losing this information in transit.

Being part of a digital network - whereupon your healthcare organization can exchange information with other providers - is the best way to coordinate care and improve patient outcomes. In turn, it also reduces wasteful spending. 

Unfortunately, there are obstacles to sharing data and exchanging information, which is why many physicians, especially those in the practice setting, are reluctant to do so.

With the recently passed HIPAA Omnibus Rule, which invokes steep penalties for data breach if protected health information (PHI) isn’t encrypted (up to $1.5 million per breach, plus other non-monetary penalties), the government is sending the message that data security must be a physician’s top priority. In addition, the growing number of medical identity thefts and laptop losses are enough to make any clinician fidgety when it comes to the topic of sharing anything.

As interoperability, HIPAA, and secure data exchange are predominant themes at this year’s HIMSS 13 annual conference and exhibition in New Orleans, Monday kicked off with a number of sessions devoted to securing data and sharing information in the digital EHR age.

During the morning session, "Improving Patient Outcomes Through Secure Data Exchange," speakers William Braithwaite and Michael Nelson, DPM, noted the potential for breach and misuse of PHI.   Braithwaite is the chief medical officer for Equifax and Nelson is the data security firm's vice president of strategy and business development.

That’s why providers need to identify and assess risks and threats to data in advance, Braithwaite told audience participants.

"The backbone of trust comes from this risk analysis," said Braithwaite, adding that, when managing risk, providers need to "consider size, complexity, technical infrastructure, hardware, and software security compatibilities and costs." By doing a risk analysis, providers will have a better idea of the type of technology purchase they make as well as the level of identity authentication required under HIPAA, he said.

CynergisTek CEO Mac McMillian, chair of the HIMSS Privacy & Security Policy Task Force and speaker for three HIMSS sessions (including "Business Associate Management under HIPAA: More Than Just a Contract") also made a case for doing an early baseline risk assessment to  identify data vulnerabilities, threats, and the current list of risk mitigation.

Often, when McMillian visits practices to help them with baseline risk assessments, he finds their technology to be lacking. In fact, he recently read an HHS Office of Civil Rights report on HIPAA audits, which noted 65 percent of HIPAA deficiencies, such as not having having adequate controls in place, occurred in the provider space.

"We often find, when we take a look at physician offices, the technology is not where it needs to be to interface with a hospital," McMillian told Physicians Practice in a one-on-one interview. "They don’t have the security they need." They have a server, but they don’t have things like "firewalls" and other necessary technology to set up a VPN or other tunnel."

Providers also need to consider data security when sharing information with third-party business associates.

"Then they have to manage that relationship, including having procedures in place for collaboratively managing that breach," said McMillian. "They’re also responsible for helping that organization do that risk analysis."

One of the easiest ways to assess whether or not you want to partner with somebody is to give them a security questionnaire that includes questions such as, "Have you had a third-party security assessment?"

Providers should also be careful about accessing data on mobile devices.

If I architect my network properly and I determine where that data needs to live, I have less of a footprint I need to encrypt," said McMillian. "I first need figure out where I create my data and where I use it. And from there, I figure out what controls I need to have in place."