Security Vendors Take Aim at HITECH Act for Healthcare IT Overhaul
November 17, 2009 Alex Woodie
While our representatives in Congress hash out healthcare reform, the executive branch of the government is already moving forward with aggressive new regulations aimed at ensuring the security of electronic medical health records and healthcare information systems. Whatever changes Washington imposes upon the healthcare industry, existing laws like the HITECH Act, a recently strengthened HIPAA, and the Red Flag Rules have put into motion a massive overhaul of healthcare IT systems–and the healthcare industry is woefully unprepared to deal with it.
The HITECH Act (officially the Health Information Technology for Economic and Clinical Health Act) was part of President Obama’s $787 billion economic stimulus package (officially the American Recovery and Reinvestment Act, or ARRA) that was passed in February. The aim of HITECH is largely to encourage the healthcare industry to adopt electronic health records (EHRs), which are supposed to save us money, by putting into place strong provisions to keep that sensitive data private and secure.
HITECH will mandate that good security practices are used by hospitals, doctors’ offices, insurance companies, billing companies, and the myriad other groups that touch sensitive medical data. Like the PCI mandate, HITECH will require the use of encryption to protect data. Like Sarbanes-Oxley, it requires audits and a scale of fines for violations–as well as the tantalizing possibility that healthcare company executives will be marched off to jail for repeated violations. And in a unique nod to the power of the pen, HITECH requires companies to notify the media of security breeches greater than 500 records.
The timeline for the implementation of HITECH is a little bit up in the air. Lawyers and judges are still hashing out the document, but a ruling is expected next month that will put the final law into effect by next summer. That is also the general timeline that the Red Flag Rule, which mandates that doctors protect personal data like credit card numbers, goes into effect. Then there is the change made this month on HIPAA, which got the enforcement “teeth” that is expected to push the industry into adoption, making HIPAA, HITECH, and Red Flag a powerful one-two-three regulatory punch.
Now, it’s up to healthcare providers and the IT industry–specifically the security software and services providers–to figure out how to put this into action. The ARRA stimulus package included $19 billion to help implement HITECH. But nobody thinks it will be easy or cheap.
A ‘Disaster Waiting to Happen’
Information security in the healthcare industry is woefully inadequate, and the industry is highly unprepared to deal with the massive changes that are needed adapt to HITECH and new HIPAA provisions, according to security experts and recent studies.
One person with a good perspective of the poor state of security in the nation’s healthcare industry is Feisal Nanji, executive director for Techumen, a provider of information security services to healthcare companies. From 2003 to 2008, Nanji headed up the applications security unit at Ernst and Young. During that time, he worked with a large healthcare company that was considered to be the “gold standard” for information management and informatics.
“When I looked at [their information security], I realized, ‘Oh, my gosh, this is a disaster waiting to happen,'” Nanji says. “The records are clearly not secure. They’re not private. And there are many reasons for this.”
One of the biggest reasons is that, when lives are on the line, healthcare organizations–from individual hospitals to regional health information organizations (RHIOs) that function as hubs for EHRs–prefer to err on the side of easy information access.
“If I’m a doctor in an operating room, and I’m prevented from getting access to a critical image or medical record, because I don’t have my secure ID token with me, or I forgot my password, I’m going to be really pissed,” Nanji says. “And as you know, in hospitals doctors are gods, so for the most part, providers are going the route of providing full access to all the doctors.
“But then the question becomes, How do I know if doctor A or doctor B, or the nursing administrator or the person doing the billing or the coding, is not looking at records that he or she is not supposed to see?” Nanji says.
That first-hand experience of poor security practices at healthcare organizations is backed up by a recent survey conducted by the Ponemon Institute on behalf of Crowe Horwath, a national accounting company.
According to the study, 57 percent of respondents said they have known deficiencies concerning privacy or security, while 90 percent admit to losing at least one record over the last two years. Fewer than 80 percent said they don’t have regular independent audits (which will be required under HITECH), while less than half said they have the money to comply with the new regulations.
The survey led the accounting firm to conclude that “most organizations are not ready for HITECH.” But that hardly comes as a surprise.
No Silver Bullet
As is the case with most information security problems, there is no single product or process–no silver bullet–that healthcare companies can implement to take care of their new security obligations.
But security vendors are still expecting to reap significant dividends from the new laws. In particular, the companies that develop software known as security information and event management (SIEM) systems are champing at the proverbial bit.
Mike Regan, vice president of marketing for SIEM vendor LogRhythm, says there has already been an up tick in sales as a result of HITECH. “It’s early innings. But this is going to mushroom,” he says.
It’s hard to say whether HITECH will do for SIEM sales what SOX did for change management vendors. But there’s a really good chance, because experts like Nanji don’t see how the healthcare industry can get the needed visibility into their systems without something like SIEM.
“Everybody will tell you they have a log file,” Nanji says. “But if you’re trying to collate log files from 400 servers and 500 devices and four different medical record systems and a pictorial archive system, and so forth, and overlying that with an LDAP directory, then it becomes completely crazy. So what you really need is a centralized logging engine to help you do that, and one that allows you to build on intelligence as you grow.”
Nanji is a big backer of LogRythm, which he says has a superior architecture that has the required scalability to address the provisions of HITECH. Not only does LogRythm allow security professionals to monitor data access across all major platforms–thereby helping to address new audit requirements–but it has the capability to take steps to shut down unauthorized access in real time, providing operational teeth.
Regan doesn’t see how healthcare companies can comply with HITECH without significant investments in new security systems. “If you’re not capturing the log data–which in effect is the digital fingerprints of all activity associated with accessing this confidential data–and structuring it in a database in a way that you can quickly search and monitor for and alert on anomalies, then you’re really dead in the water and you have no good source of insight into level of abuse or misuse or unauthorized use of that confidential information,” he says.
Software vendors and auditors have done quite well over the last decade as the result of government mandates, starting with the overhaul of financial reporting with Sarbanes-Oxley in 2002, food safety with CFR 21 Part 11, and credit card transactions with PCI. Now it’s healthcare’s turn to air its dirty laundry and be publicly reprimanded for jeopardizing the information security of Americans, and it’s not going to be pretty.