Data Security in Rural HealthCare: Challenges and Opportunities

This business case will discuss the challenges and opportunities around data security in rural healthcare.

When most people think of the Health Insurance Portability and Accountability Act (HIPAA), they think of the privacy of their medical records.  However, both privacy and security requirements must be met to be compliant under HIPAA and to attest for Stage 1 Meaningful Use. The breaches reported in the media are typically related to electronic security issues, such as breaches due theft of computers, improper disposal of media, or hacking. 

For this paper, rural populations are defined as those residing within a county or area not designated by the Office of Management and Budget as a Metropolitan Statistical Area (MSA), which has at least one city with 50,000 or more inhabitants and a total population of at least 100,000. Rural practitioners finding resources to these medical record breaches are challenging.  Yet the risks of not acting are immense.  The Office for Civil Rights (OCR) is more likely to audit small practitioners, and the financial industry recently announced that healthcare is most at risk for breaches.  The Department of Homeland Security identifies healthcare as an inviting target for hackers, criminals, and terrorists

Previous breaches for smaller entities identified an important gap among these organizations: a marked lack of preparedness in all three of the major requirements of HIPAA -- privacy, security, and breach notifications. As a result, new audits will likely target the area within security with the poorest compliance efforts—the Security Risk Analysis requirement.

While cost is typically cited as a reason Covered Entities (CEs) give for not being compliant. HIPAA allows CEs to consider their resources and allows CEs to implement standards appropriate to the size, complexity, and scalability of their organization, or what the Department of Health and Human Services refers to as “scalability.”

All organizations must comply with HIPAA, but are allowed to make modifications to the practice, rather than engage in a complete overhaul to compliance.  Indeed, the words “reasonable steps,” “reasonable efforts,” appear throughout the regulations. This is particularly important given the lack of resources available in some rural areas—internet connectivity, lack of IT professionals, limited human resources personnel with or without knowledge of HIPAA regulations, and limited availability of staff that can provide regular training on HIPAA requirements. 

Access to care is an issue in regions where physician-to-patient ratios are inadequate, or where there are not enough medical specialists available to meet the population’s needs. Rural areas struggle to maintain adequate numbers of clinical staff to serve their patient populations.  The lack of care resources mirror the lack of technical resources, resulting in both compromised IT implications and their related privacy and security programs.

In 2012, Centers for Medicare and Medicaid Services (CMS) conducted a random audit on compliance of HIPAA regulations, specifically the presence of an adequate Security Risk Assessment.  In its semiannual report, CMS found that less the 20% of covered entities had conducted the required Security Risk Assessment, the cornerstone of any program to comply with the HIPAA/HITECH regulations.  In a more recent study of physician practices, the numbers are a bit better at 33%, but still need improvement.

Maintaining compliance with HIPAA is vital.  Penalties for noncompliance with HIPAA and the HITECH Act can quickly reach into millions of dollars, and the provisions affecting covered entities and business associates are wide-ranging. Media reports of security and privacy breaches can also be devastating—destroying the trust of patients, employees, vendors, and business associates.

Additionally, without HIPAA compliance, many covered entities (CEs) are unable to tap into federal meaningful use (MU) funds for implementing electronic health records (EHR).  CEs recognizing that they have not conducted an adequate Security Risk Assessment for their HIPAA compliance.  The Core Objective under Stage 1, 14 (for hospitals) or 15 (other providers) is the identical Security Risk Assessment required under HIPAA/HITECH.  Many organizations have recognized that their attestation for meaningful use monies may have been fraudulent.  Thus, their attestations for MU may constitute fraud; they returned their MU monies until such time as the Core Objective has been met.

With so much riding on a HIPAA compliance program, it’s imperative to review and assess the organization’s status in the compliance continuum:

 

table 1 business case 2

 

Figure 1: Compliance Questions

 

Regulatory compliance is challenging for most organizations, often more so for rural providers.  Typically, organizations will be short of staff or simply don't have the staff with appropriate knowledge and expertise.  Often, organizations simply want to know what they don't know. 

With this in mind, organizations must engage in a variety of activities:

 

business case 2 table 2

 

Figure 2: Steps Toward Compliance with HIPAA

The most recent Ponemon Study reports an accelerated risk for data breaches of healthcare organizations.,   More than 90 percent of healthcare organizations in  this study experienced  a data breach, and 40 percent of respondents had more than five data breaches over the past two years.   

Criminals also rank, at an alarming rate, as responsible for these breaches. The study indicates:  “For the first time, criminal attacks are the number one cause of data breaches in healthcare.”

Criminal attacks on healthcare organizations are up 125 percent compared to five years ago. Forty five percent of healthcare organizations report criminal activities as the root cause of their data breach.  Yet, despite this changing threat environment, organizations are not changing their behavior—only 40 percent of healthcare organizations and 35 percent of business associates (BAs) are concerned about cyber attackers. Thus, these results seem to indicate a false sense of security. 

It is unlikely that the architects of HIPAA, in 1996 or even in 2012, could have envisioned this new cybercrime environment, nor would they have been able to address a threat environment that evolves in a matter of days.  Rural providers should recognize and three changes to the threat landscape. 

  1. The presence of organized cyber criminals,
  2. The proliferation of mobile devices, and
  3. Shifting geopolitical landscape.

Providers recognize the importance of basic security technologies, such as single sign-on authentication, firewalls, spam/spyware filters, and encryption that enjoy high levels of adaptation. But in today’s threat environment, such technologies are not enough. Rural providers can combat these threats with new tactics, such as 

  • Implementing real-time surveillance of their networks,
  • creating a baseline of network activity, and
  • understanding the components of  normal  and  unusual traffic on their server.

Concurrently, organizations should conduct surveillance for emerging threats, taking a community-based approach to threat intelligence.  With the rate at which threats change and proliferate, it is impossible for organization to recognize new threats solely through their own efforts.  In fact, knowing what other people are dealing with can be invaluable.  

An assessment based on research conducted and published by the Agency for Healthcare Research and Quality (AHRQ)

Rural health organizations suffer from a relatively slow rate of adoption of technology and related privacy and security programs, relative to the overall healthcare field.  The success of these initiatives depends on the ability to address several complex and interdependent problems.  While these challenges are not unique to the organizations serving rural populations, they are aggravated in rural health due to the lack of financial, personnel, and other resources.   These challenges fall into two related categories: lack of financial resources and the lack of access to qualified personnel.

 

Insufficient IT Expertise

Adopting and implementing health IT technology and related mandated privacy and security programs, requires hiring staff with specialized training, exacerbating the challenges that rural organizations already face in hiring and maintaining qualified staff. The availability of staff with health informatics, security and privacy training in rural communities is limited. The pool of personnel resources in these areas is not comparable to that in urban areas or resource-rich healthcare organizations.

One difficulty lies in the hiring and retaining of staff.   When individuals are recruited and trained to serve as in-house experts, they have achieved a certain amount of expertise, and thus, are often recruited and/or choose to work for larger, non-rural facilities that can offer higher salaries, greater benefits and professional development.  Even in organizations with knowledgeable staff, smaller organizations typically have a limited number of qualified staff, which contributes to delayed implementation of security and privacy programs, and ongoing maintenance of such programs.

 

Staff for Planning and Implementation

Limited involvement by all necessary staff during the planning and implementation of security and privacy programs will negatively impact the program’s success.   Additionally, attempting to implement programs from larger organizations and apply them to an under-resourced rural hospital can lead to underestimating the challenges as discussed earlier. Hiring security and privacy staff or a project manager may be prohibitive for under-resourced organizations. Including the security and privacy program in private or government funding opportunities may be one way to pay for this expertise in the short term.

 

Training

Most healthcare organizations, not just rural practitioners, are remiss when it comes to training.  User training and outreach is another crucial component to the success of the projects discussed here.  Because of limited expertise, development of a training program may take longer. It needs to address the specific privacy and security issues endemic to rural healthcare, with the training integrated into the institution’s normal workflow. 

 

Organizational Leadership

Effective implementation of privacy and security programs necessitates a change in provider culture, attitudes, and thought processes, effectively changing the culture of an organization. Senior leadership needs to be honest and upfront with providers and other staff about this change in culture and workflow.  Successful privacy and security programs begin at the top and work their way through the entire organization. 

Successful HIPAA compliance does not lend itself to simple “fixes” that can be easily integrated into a new environment. Implementation leaders must plan for these social and cultural changes that will accompany the introduction of their security and privacy programs.  In striving for the “culture of compliance” required for the successful implementation of these programs, providers and staff must adapt their work style to accommodate the regulations.

The importance of consistent and informed organizational leadership cannot be over- stressed. The time needed to rebuild the momentum, vision, and interest among key players can be challenging. Staff turnover at the leadership level may be identified as a huge challenge in rural and environment; hiring and training new staff can delay any planned implementations. Losing a project champion can slow a project, given the limited resources and time investment to secure buy-in of the vision and implementation plan.

A new project leader must cultivate new relationships and gain commitment from staff for compliance efforts.  This takes staff time away from other priorities, and the outcome is not always positive for the project.  When a new CEO or other senior executives join the organization, many local issues top their priority list.   This can impact the leaders’ willingness to engage at a regional level and invest a large sum of money into a legacy project. In addition, other key players often lose interest once momentum slows down and new leadership acclimates to the situation. While the importance of organizational leadership is central to the success of health IT and  health information exchange (HIE) implementations in all settings, the situation  escalates in rural or underserved settings, where resources can be limited and  recruitment expenses, both time and money for leadership personnel,  is high.

 

Medical Staff Commitment

When providers recognize the added value of a security and privacy program, as with other health IT tools, they are more likely to accept and implement the recommendation.  In-spite of the lack of perceived value of security and privacy programs, one must stress the importance of physician champions for the successful implementing and operation of a privacy and security program.  A security and privacy programs implementation should not begin without all stakeholders understanding and embracing the benefits of security and privacy, and recognizing the risks of not implementing an adequate program.   The role of the physician champion is to act as a liaison between the physicians in the organization and the implementation team. The physician champion acts as a point of reference for how things are done from a clinical perspective and how physicians need the security and privacy to function, in the context of the delivery of care. The physician champion is responsible for keeping the physicians up to date on the progress of the implementation and management program and for maintaining physician “buy-in”.

 

Funding

Financial resources required funding planning and implementation costs is a significant barrier to the implementation of security and privacy programs. Financial barriers are particularly pronounced for rural providers, because they typically practice as single-specialty, solo, or small groups, which traditionally lack the financial resources needed for implementation. Most safety net providers are supported by government funding and have limited financial resources.

Start-up costs for the implementation and maintenance of the Security and Privacy program can be significant causing providers to rely on multiple funding sources.  In addition to receiving grants from federal and state agencies and other external organizations, facilities often rely on internal funding to begin, complete, or expand health IT implementation. Healthcare facilities operating in rural and underserved areas often have limited profit margins, and therefore, limited funding available to extend beyond patient care expenses.

Capital expenses are in “competition” for other equipment, supplies, and even renovations. As a result, health IT implementation projects are often challenging to initiate and/or take more time to roll-out due to consistent difficulties in securing funding. Without the availability of external funding, it is difficult for rural and underserved facilities to implement basic health IT.

These facilities can overcome their financial disadvantage by pooling of resources from participating facilities and requesting funding from employers and other stakeholders who have a vested interest in improving the overall health of their community.

The absence of large employers in any single rural local can significantly impact the sustainability model for projects implementing a security and privacy program. It can be difficult for large employers to commit to compliance efforts, since in rural communities; the numbers of large employers is limited and often are governmental organizations, i.e. hospitals, state prisons, and so on.

In addition, smaller employers tend not to offer health insurance, and therefore, are less likely to engage in or support a provider’s activities, because they do not have as much financially at stake as employers that provide insurance coverage.

To secure commitment from employers, a variety of solutions may be considered:

  • engaging employers before the implementation project begins to ensure their interests are included;
  • creating a business case for employers to ensure their commitment over the long term;
  • conducting presentations with large and small employers to demonstrate the benefit that population health management can have in their community, workforce, and financial strategy;
  • holding live demonstrations once the project begins so employers can visualize the technology and see the progress; and
  • partnering with any large, private health insurers who cover the area’s population.

 

Rural providers struggle in providing adequate access to care where physician-to-patient ratios are inadequate, or where enough medical specialists are not available to meet the population’s needs. Rural areas struggle to maintain adequate numbers of clinical staff to serve their patient populations.  Mirroring the lack of care resources is the lack of technical resources, resulting in both compromised IT implications and their related privacy and security programs. Thus, these providers are obligated to comply with the privacy and security regulations, but with lack of financial resources that exacerbates their difficulty in attracting, training, and retaining qualified technology along with privacy and security professionals. 

As the threat environment continues to change and accelerate, new skills are required to combat these assaults on patient information.  Given the current hurdles faced by rural providers, the need exists for development of new and innovative ways to acquire resources required to combat these growing data breach threats.

IT Implementation

Local Implementation Support

  • Regional Extension Centers (RECs) offer unbiased EHR adoption support throughout the EHR implementation process – from start to finish. These organizations, funded by the Office of the National Coordination for Health Information Technology (ONC), also serve as two-way pipelines to local and federal resources.

Privacy and Security

Funding

  • USDA Community Facilities Loans and Grants: These programs provide grants, loans and loan guarantees for essential community facilities projects in rural areas. Priority is given to healthcare (including health IT) projects as well as other community initiatives.
  • USDA Distance Learning and Telemedicine Loan and Grant Program: Through loans and grants, this program extends access to advance telecommunications technologies that enhance learning and healthcare opportunities for rural residents.
  • USDA Community Connect Grants: This program serves rural communities where broadband service is least likely to be available. The grant funds a community center with free broadband service for two years and pays for construction of broadband service to residents, businesses and key community facilities such as schools and healthcare institutions.
  • USDA Farm Bill Broadband Loan Program: This program is designed to provide loans for funding, on a technology neutral basis, the costs of construction, improvement, and acquisition of facilities and equipment to provide broadband services to eligible rural communities.
  • USDA Telecom Infrastructure Loans: This loan program makes long-term direct and guaranteed loans to qualified organizations for the purpose of financing the improvement, expansion, construction, acquisition, and operation of telephone lines, facilities, or systems to furnish and improve Telecommunications services in rural areas. All facilities must be capable of supporting broadband services.
  • Rural Health Care Program: Administered by the Universal Service Administrative Company under the oversight of the Federal Communications Commission, this program provides reduced rates on telecommunications and Internet services to eligible rural healthcare providers in the United States.
  • Web Site Disclaimers
  • Health Care Connect Fund: Administered by the Universal Service Administrative Company under the oversight of the FCC, this program builds on the success of the Rural Health Care Pilot Program by providing support to eligible public and not-for-profit healthcare providers for the cost of broadband services or facilities that are used for healthcare purposes.

Health Resources and Services Administration (HRSA) Resources

Editor:

Roger Shindell, MS, CHPS, Founder, President, CEO, Carosh Compliance Solutions, HIMSS HIT for Rural Health and Underserved Work Group Member

Special thanks to the HIMSS HIT for Rural Health and Underserved Work Group Volunteers

  • Chairperson – Gora Datta, Chairman & CEO CAL2CAL Corporation, HL7 International Ambassador & co-Chair HL7 Mobile Health, Vice-Chair IEEE Orange County Section
  • John Ritter, Healthcare Standards Architect; Volunteer at HL7, ISO TC215, HIMSS, ONC S&I Framework.
  • Kalyani Yerra, MBA, MHA, PMP, CPHIMS, Sr. Technical Architect, Premier, Inc. 
  • Roger Shindell, MS, CHPS, Founder, President, CEO, Carosh Compliance Solutions
  • W John Gachago, e-Health Consultant, JWG Global Ltd.
  • Larry Rine, CEO, Intersect Healthcare Systems

HIMSS Staff:

Ian E. Hoffberg, Manager, Healthcare Information Systems (HIS), HIMSS North America

If you have comments, please contact Ian E. Hoffberg at ihoffberg@himss.org.

Keywords: 
Rural, underserved, Security, HIPAA