HITECH imposes data security requirements on physicians, hospitals

The act, which is being implemented in three phases, provides incentives for medical facilities to expand the use of electronic health records and exchanges in terms of Medicare and Medicaid payments. Physicians and facilities that participate receive Medicare and Medicaid bonus payments, while those that do not are hit with penalties.

Phase I implementation (2011–2014) provides a graduated series of financial incentives to physicians and hospitals. At the same time, certain information security measures must be implemented along with the expanded use of electronic health records and information exchanges.

For healthcare facilities, these security measures include implementation of access control; data integrity; emergency management;encryption of data at rest, in motion, and removable media; identity proofing; log analysis and management; and system timeout.

For example, under access control, HITECH requires organizations to assign a unique name and/or number for identifying and tracking user IDs and to establish controls that restrict access to electronic health information only to authorized users.

In addition, HITECH requires organizations to encrypt and decrypt health information according to user-defined preferences in accordance with a specified standard (i.e., a symmetric 128-bit fixed-block cipher algorithm capable of using a 128, 192, or 256 bit encryption key).

In order to meet the HITECH information security requirement, healthcare organizations need to know what data they have and where it is stored, said Jim McGann, vice president of information discovery at data discovery firm Index Engines.

“These regulations are forcing organizations that store medical records to go back in time and look at all that content. Every organization that we talked to in the healthcare area has legacy content, old files, tapes, and emails, that are five, 10, 15 years old, that they know are not compliant”, McGann told Infosecurity.

McGann said that only 1% to 5% of the tapes stored by these organizations have meaningful data on them, yet they keep everything. “Healthcare organizations store way too much information….That is becoming a liability”, he said.

The new regulations require these organizations treat data differently than in the past, he stressed. “There is a lot of catch-up on their part. They need to find the data and encrypt patient records”, he said.

“What you want to be able to do is apply policies to this data, get it out of legacy containers like backup tapes, then process the large volume of data, and archive what you need to archive based on the policies”, McGann said.

Index Engines provides a platform that enables organizations to look for specific records based on key words or specific content, then move them into an archive, encrypt the records if necessary, and apply retention periods to them. “We are basically the traffic cops. We go out on the networks in a legacy environment and take action on it”, he said.

What’s Hot on Infosecurity Magazine?