This article originally appeared on SearchSecurity.com.
It's been a monstrous challenge for hospital chains like Baystate Health System to meet HIPAA's security rules. But as far as Jim DiDonato is concerned, the challenge was never meant to end with the law's April 21 compliance deadline.
"We'll always have enhancements to make," said DiDonato, information security officer and HIPAA project manager for the Springfield, Mass.-based organization, which runs three hospitals, generates $1.4 billion in revenue and has more than 9,000 employees. "Implementing a program like this is always difficult and changes in technology and exposure are ongoing. Compliance deadlines will pass. But the security needs will always be there."
While major technology enhancements must still be made, he said Baystate has invested an enormous amount of time and money to secure its more than 5,000 workstations, 100 Windows-based servers and other machines. According to a new report from Info-Tech Research Group of Canada, Baystate isn't alone.
A majority of the 1,400 IT managers surveyed in January said HIPAA prompted their organizations to boost security spending big time. More than 60% of respondents working for small- to medium-sized hospitals said their organizations are increasing investment this year. Thirteen percent said they are doing so in dramatic fashion.
The response wasn't surprising given a report from the American Health Information Management Association in April that said only 17.5% of hospitals and health systems were fully compliant as of January, said Frank Koelsch, Info-Tech Research Group's executive vice president.
"The final HIPAA security deadline for all but the smallest enterprises passed [April 21] and now officials at the Centers for Medicare and Medicaid Services [CMS] are going to be on the lookout for those who haven't complied," he said. "IT managers know their security technology needs to be robust to deal with the demands of HIPAA and our study shows they're making the necessary investment."
According to the report, available through the Info-Tech Web site:
- 80% of respondents plan to make core technology investments at current levels or higher. Top investment areas include storage and telephony.
- 59% of IT decision makers plan to increase desktop hardware investments.
- More than half of all hospitals with more than 500 employees are planning to implement VoIP.
- The biggest growth in spending is among the biggest hospitals -- those with more than 2,000 employees.
- 81% of larger hospitals plan, at a minimum, to bolster their security hardware while 73% plan to bolster their security software.
Do the findings suggest hospitals are scrambling to stay ahead of the HIPAA police?
"Scramble is a strong word," Koelsch said. "It suggests disarray. This is more about priorities and funding. It seems that now hospitals are getting their footing. I compare it to Y2K. The bulk of preparation for Y2K happened in 1999. We knew about the threat 10 years in advance. [HIPAA] doesn't carry the same sense of urgency as Y2K did at the time. Hospitals have other priorities, like keeping people alive."
DiDonato noted that Baystate has been immersed with HIPAA-based improvements for more than five years. "Changes we've been making date back to 1996," he said. "Since 2000, the work on HIPAA has been very active, especially when it comes to the administrative, physical and technical safeguards." The technical safeguards have included better encryption and network logging, he said. Physical improvements have included access control and administrative safeguards have focused on training and policy.
"We've had a lot of success in getting support for the project," he added. "Everyone has played an important part. That said, it can still be hard to get resources. There are other priorities -- namely patient care. My philosophy is that patient care is job one."
He said the need for HIPAA improvements has been carefully weighed against the impact on patient care. "With the password structure we said, ok, best practices tells us to require this many characters," DiDonato said. "But in a patient care environment such a requirement could be a barrier to the speed of care. We decided to back off on that part. All of us are focusing more on protecting patient information. But this isn't Fort Knox and it shouldn't be."
In a recent SearchSecurity.com report on health organizations struggling with the security rules, Kate Borten, president of HIPAA consultancy The Marblehead Group Inc., said hospitals she visited were woefully unprepared. The Info-Tech findings failed to ease her concerns.
"Call me cynical, but I'm not seeing sweeping changes in attitude or spending for security in hospitals," Borten said in an e-mail interview. "Most hospitals I encounter have anemic infosec programs. Often the well-meaning ISO isn't full time, or is full time but is the only person dedicated to information security."