Risk assessments leave hospitals hamstrung and confused

Lisa Gallagher, HIMSS’ senior director of privacy and security, isn't particularly optimistic about providers' ability to prove patient data is safe. Asked to assign a letter grade to the security situation in U.S. hospitals, she says, "probably a C."

The question, then, is how many extra credit assignments must be undertaken to bump that up to a B+??Gallagher says it's the basic assignment that's the big problem for most providers.

"The fundamental activity that has to happen for organizations to be compliant with HIPAA and HITECH and every other regulation that comes from outside the industry ­– as well as your Stage 1 meaningful use – is to conduct a security risk assessment, and to do ongoing security risk analysis," she says.

"But if you look at the numbers, you see they're pretty low," Gallagher adds. "We have organizations trying to meet meaningful use Stage 1, and they're calling me and saying, 'We can meet all of the requirements of Stage 1, except the risk analysis requirement.'"

That, she says, "is very concerning, because our mission is to enable these organizations to do what they need to do" to reach meaningful use. "And we don't want a single security requirement to be a barrier."

Why is the assessment so problematic? Mostly because doing one is so far outside the areas of most health professionals' expertise. "Security and security risk assessment is a discipline that this industry just does not have a handle on," says Gallagher. "They don't understand it, they don't have people on their staff who can do it, they know they need to hire a consultant and they don't always have the time and the budget to do that."

Moreover, the requirement has long been swept under the rug. "For a long time, they thought, 'No one's monitoring HIPAA compliance, so we can put this off. We don't understand it, it requires resources we don't have, so we're just not going to do it."

Those days are over. Now, providers understand the stakes, at least. "I think there's a lot more awareness than there was before," says Gallagher. "Folks are understanding that with their use of technology it's not only username and password; they understand that there are security policies and procedures they need to follow."

But even if organizations have some resources to put toward a security risk assessment, she says, "they don't know how to do it, and they're confused about the threshold to compliance."

HHS has never come right out and said, specifically, "'If you do the following, you are compliant,'" says Gallagher. They said, 'Do a risk assessment, document it and make sure you mitigate any findings that you have.' But there's no standard for what is minimum to be compliant. And that's causing the industry a lot of stress."

Unfortunately, she doesn't see many signs of improvement. The numbers have "been flat for the past few years, and I am really concerned," says Gallagher. "There's not an answer that is easily reachable right now. I don't see in the next year that we will make much progress."

That's too bad. Because it "shouldn't be a barrier; it should enable your organization to practice sound security management," she says.

But the stipulation has obviously proven difficult for many providers to handle. "The crisis point," says Gallagher, "is going to be if we see that people can't meet Stage 1 meaningful use because of one single requirement."

Fuzzy vision

So why is HHS so vague in its calls for security assessments? Why can't they be more prescriptive?

"It goes all the way back to when HIPAA was written," says Gallagher. "It's hard to be prescriptive when you have such a variation in the size, scope and nature of the covered entities it applies to."

A small physician practice with just a couple docs only can do a basic security assessment, and that would be enough, in other words. "For a larger enterprise, it would be a completely different exercise."

There are providers, there are clearinghouses ... a single standard is simply too difficult to define.

So HHS left plenty of wiggle room. "They said, 'What is compliant is actually doing a security risk assessment, and not doing it to a certain set of requirements,'" says Gallagher. "They left it flexible, and they thought they were doing the industry a favor."

Clearly, when it comes to meaningful use, at least, that's not quite the favor they thought it was.