Health care struggles with security's cost

Security's high price tag and a lack of expertise has many health care companies balking at complying with regulations that would protect digital patient data.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
3 min read
SAN FRANCISCO--Security's high price tag and a lack of expertise has many health care companies balking at complying with regulations that would protect digital patient data, a group of experts said Wednesday.

Speaking at the RSA Conference, medical-information security professionals said regulations mandated by the Health Insurance Portability and Accountability Act (HIPAA) seem to be delaying some health care organizations' move from paper records to digital files.

The security professionals urged companies to make the move to digital and follow the regulations, despite the accompanying price tag, which can run from the tens of thousands of dollars for small medical practices to millions of dollars for large organizations.

Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

"It is the cost of doing business," said Micki Krause, chief information security officer at Pacific Life Insurance. "If you implement those controls, you will be far better off in the future."

The move toward digital systems has been slow for the health care industry, with only 15 percent to 20 percent of organizations using electronic medical records instead of paper ones, said Dr. Stephen Lane, medical director of clinical informatics at the Palo Alto Medical Foundation.

"I think it is important to remember that for a four- or five-pediatrician office in a strip mall, that there is clearly a large administrative burden," he said during the panel debate. "We haven't been involved in IT very long, compared to other industries. We are a little bit behind the curve there."

The reticence of the industry has led the U.S. Congress to grant a year extension for complying to the security regulations, known as the Security and Transaction Modifications Rules under HIPAA. Health care companies and organizations now have until April 21, 2005, to comply with the regulations.

While Lane's office doesn't touch paper anymore, the impending deadline and the cost of converting paper processes to digital systems has many medical offices hesitating at going digital. And companies and organizations that have taken the plunge are having to refight a lot of battles to keep staff thinking about security, Lane said.

"Those of us that have already gone down this path are grappling with these issues," he said. "When we tell (employees) that they have to have timed logouts and complex passwords, those bare adopters are putting up more of a fuss."

That resistance illustrates that educating people is the biggest challenge in incorporating security into health care, Pacific Life's Krause said.

"It's no coincidence that HIPAA focuses on the administration," Krause said. "It is the people aspect of any rule that is the challenge."

While many offices may claim to be compliant with HIPAA, the staff still doesn't understand how to be mindful of security and privacy, she said. An example: "You go into an office and sign the form that says the office is under compliance; then you sit down, and the receptionist shouts across a crowded room to ask you for your social-security number," Krause said.

The health care information professionals didn't try to soften the financial blow.

"There is definitely a high cost involved in implementing the rules," said Geree Martin, former information technology director at managed health care provider Kaiser Permanente. "I do believe it will be cost-effective, but it will be a long time before many organizations will see a return on their investment."