Why Data Storage Is a Key HITECH IssueMinimizing Storage on Mobile Devices Preferred, Expert Says
The proposed Stage 2 EHR software certification rule requires that the software must, by default, encrypt data stored on mobile devices, such as laptops and tablets, to help minimize the risk of a breach (see: What's New in EHR Certification Rule?). The rule also says that another way to protect information is to avoid storing it on such devices, and Wolf, an executive adviser at Booz Allen Hamilton, says that should be the preferred approach.
"Providers should open a conversation with their EHR vendor on encryption of data at rest, or look at systems to eliminate the retention of health data on end-user devices," she says in an interview.
She also advises hospitals and physician practices to consider taking the extra steps of using full-disk encryption, as well as encryption of portable media, such as USB drives, to help safeguard patient information, event though those steps are not specifically required in the Stage 2 rules.
The HITECH incentive program, funded by the economic stimulus package, is providing billions of dollars in payments from Medicare and Medicaid to hospitals and physician practices that demonstrate they're meaningfully using certified EHRs. Participants in the EHR incentive program can gain additional payments in the next two stages if they meet the tougher requirements for each phase of the program. Stage 2 begins Oct. 1, 2013, for hospitals and Jan. 1, 2014, for physicians.
In addition to the proposed Stage 2 software certification rule, a proposed Stage 2 meaningful use rule sets guidelines for demonstrating that a hospital or physician practice is a meaningful user of certified EHR software (see: Stage 2 HITECH EHR Rule Unveiled).
In the interview, Wolf also:
- Explains technical standards for encryption called for in the rules;
- Points out that to qualify under the proposed Stage 2 meaningful use rule, hospitals and physician practices must conduct a risk assessment that verifies how they protect data at rest;
- Laments the rules' lack of a requirement for the use of metadata that would enable a patient to restrict access to specific portions of a record, as called for in a report from the Presidential Council of Advisors on Science and Technology.
At the consulting firm Booz Allen Hamilton, Wolf, CIPP, CIPP/G, serves as an executive adviser in cyber health privacy. In that role, she is advising the Department of Health and Human Services and its Centers for Medicare and Medicaid Services. She formerly spent 35 years at the Internal Revenue Service, most recently as head of the IRS' Office of Privacy, Information Protection and Data Security.
For more on the proposed rules, see an interview with Deven McGraw of the Center for Democracy & Technology.