Tag Archives: security

Meaningful Use Privacy & Security Concerns

The Privacy and Security requirements of the recently released Meaningful Use NPRM and Certification IFR have received a lot of attention due to their lack of definition. I joined in on the Jan 22 ONC Privacy & Security Workgroup meeting to discuss which topics the workgroup will comment on and send to the HIT Policy Committee. The topics included risk assessments, the phrase “implement security updates as necessary”, HIPAA investigations, privacy and data transparency, and “consumer preference”.

  • Risk assessments – There is still a lot of concern about the lack of clarity surrounding risk assessments. The ONC will need to ensure that education on risk assessments is available, especially targeted at small providers. Most organizations currently think they are HIPAA compliant, but few would feel comfortable if the government performed a HIPAA audit, because there is no guidance as to what the government would audit against. Guidance is needed on the “intended outcomes” of MU Security objective and greater transparency, such as Audit Program Compliance Guidelines, is needed on the audit process that will be used. It is unlikely that any guidance will be available by the time the final rulings are released. Large organizations commonly perform internal or 3rd party security/privacy audits, but this is rare (and not feasible) among smaller providers. Many of the comments related to this topic will not change the objective but how the ONC responds to the need for additional information.
  • “Implement security updates as necessary” – The term “updates” is both a technology (i.e. software update) and business process (i.e. modify password policy) term, and its intended meaning (whether one or the other or both) should be clearly stated. Time requirements were discussed, such as software security patches must be updated within 90 days of release, but this was thrown out due to complications of implementing updates, especially in enterprise settings.
  • HIPAA Investigations – ~5k HIPAA investigations are currently underway. Unclear if these are ~5k different hospitals, individual doctors, multiple investigations per entity, etc. Unclear if an open investigation will prevent an eligible professional or hospital from receiving incentive payments. The “expected” length and cost of investigations will be important to allow providers to make informed decisions. Unclear which HIPAA investigation types are relevant to MU.
  • Privacy and Data Transparency – No objectives or measures for privacy and data transparency are present in Stage 1. The Committee wants to propose these for Stage 2. “Accounting of disclosures” is included in Stage 1 and is already required by HIPAA. The connection between the security/certification piece and the MU/privacy piece is weak. For example, the capability to prevent many breaches is a part of certified EHR, but there are no objectives or measures to guide providers in the use of these certification criteria.
  • “Consumer-preference” – Also referred to as “patient-choice” requirements, consent management, or access control. There was some disagreement as to what the proper language was to discuss  patient preference. Dixie Baker, who is also involved in the Security Standards Workgroup, posted a presentation (available on the ONC website), to address Access Control and its relation to privacy. There is no IFR criteria for access control to help entities manage the patient consent requirement with which they must comply. This discussion was cut short due to time and will probably be completed in private conversation.

Refer to my previous post to join in on future workgroup meetings: https://singularityblog.wordpress.com/2010/01/11/upcoming-hit-policy-standards-committees-workgroup-meetings/

President Bush Delivers Farewell Speech – Jan 15

President Bush delivered his farewell address Jan 15, 2009. Regardless of one’s party affiliation and political likes and dislikes, a Presidential farewell provides an interesting perspective into the legacy by which a President hopes to be remembered. And this is why I found President Bush’s address so shocking. He begins by acknowledging the truly astonishing nature of the transition:

Five days from now, the world will witness the vitality of American democracy. In a tradition dating back to our founding, the presidency will pass to a successor chosen by you, the American people. Standing on the steps of the Capitol will be a man whose history reflects the enduring promise of our land. This is a moment of hope and pride for our whole nation. And I join all Americans in offering best wishes to President-elect Obama, his wife Michelle, and their two beautiful girls.

Then, he narrows in to the single event that shaped both his speech and his entire presidency:

This evening, my thoughts return to the first night I addressed you from this house — September the 11th, 2001.

Some insight into the administration’s view of US intervention in Afghanistan and Iraq:

Afghanistan has gone from a nation where the Taliban harbored al-Qaida and stoned women in the streets to a young democracy that is fighting terror and encouraging girls to go to school. Iraq has gone from a brutal dictatorship and a sworn enemy of America to an Arab democracy at the heart of the Middle East and a friend of the United States.

Bush contributes 7 years with no terrorist attacks to the creation of the Department of Homeland Security, transformation of the military and intelligence community, and taking “the fight to terrorists and those who support them”:

There is legitimate debate about many of these decisions. But there can be little debate about the results. America has gone more than seven years without another terrorist attack on our soil.

Now, a return to the ideological struggle between good and evil:

The battles waged by our troops are part of a broader struggle between two dramatically different systems. Under one, a small band of fanatics demands total obedience to an oppressive ideology, condemns women to subservience and marks unbelievers for murder. The other system is based on the conviction that freedom is the universal gift of Almighty God, and that liberty and justice light the path to peace.

I’ve often spoken to you about good and evil, and this has made some uncomfortable. But good and evil are present in this world, and between the two of them there can be no compromise. Murdering the innocent to advance an ideology is wrong every time, everywhere. Freeing people from oppression and despair is eternally right. This nation must continue to speak out for justice and truth. We must always be willing to act in their defense — and to advance the cause of peace.

9/11 laid such a heavy burden on this administration that Bush only gives a single paragraph to the other major events of his administration: expansion of Medicare prescription drug benefits, No Child Left Behind (which he doesn’t mention by name), lower taxes, promotion of faith-based programs, and providing assistance to persons living with HIV/AIDS.

Let’s spend a minute on that last one. The President’s Emergency Plan for AIDS Relief (PEPFAR) is largely considered to be the most successful international aid program the US has enacted and recieves strong bipartisan support. PEPFAR provided $50 billion over 5 years to fund anti-retrovirals and contraceptive distribution networks, as well as educational programs (usually abstinence based, although this is changing). PEPFAR has had a slew of problems, but is still one of the largest sources of funding for AIDS relief. Yet, President Bush hardly even mentions it.

But more than anything, I am struck by the divisiveness of his language. President Bush entered office vowing to be a “uniter not a divider”, yet he left with extremely low approval ratings and negative perceptions of the US worldwide. Drawing sharp lines between black and white, good and evil, may be useful to him in his personal life, but divisions such as these can have harmful and polarizing effects in politics. Unity is not achieved by publicly labeling outsiders. If a group identifies themselves by their opposition to you, calling them evil strengthens their identity and opens you up to scrutiny (consider Bush and the torture at Guantanamo).

While discussing this issue with a friend of mine, he said something quite insightful: “Great men in history have created divisiveness and offense without exception.  They simply know that their ultimate goals are more important than public acceptance…Great men may create terrible controversy, but at least they have the appropriate methodology and results to back it up.” Therefore, division isn’t the problem, it creating division without support, without evidence, without proper methodology.

Politics is labeled the art of compromise for a reason. Political philosopher Jean Bethke Elshtain states: “But compromise is not a mediocre way to do politics; it is an adventure, the only way to do democratic politics.” Certainly, this argument is a simplification, but I look forward to the departure of divisive ideology from the White House.

(Read the full text of President Bush’s farewell address here: http://www.baltimoresun.com/news/nation/bal-bushtext0115,0,3697667.story)

(Read more of my friend’s blog at http://nateahern.blogspot.com/)