Eighty percent of respondents to a March 2011 Healthcare IT News survey of hospital and health system IT professionals cited compliance as the highest expectation of achieving meaningful use. Only 38 percent, however, are in the process of enterprise-wide adoption of secure EHRs.

The survey results confirm what Oracle and Deloitte, who commissioned the survey, are seeing in the marketplace, attendees were told at a healthcare session at Oracle OpenWorld Conference on Wednesday.

While meaningful use is very important, privacy and security are down on the priority list, partly as a result of limited resources and competing requirements, said Russell Jones, partner at Deloitte & Touche LLP, in the session “Secure EHRs: Achieving ‘Meaningful Use’ Compliance and Preventing Data Theft and Fraud.”

[See also: Privacy concerns accompany push for EMRs.]

With the Department of Health and Human Services "serious about enforcement" – HHS has engaged a Big 4 auditor to conduct up to 150 HIPAA security and privacy audits between now and the end of 2012 – Jones says hospitals and health systems need to deploy a set of controls that are robust and at the same time flexible and don’t impede physician workflow.

Jones recommended healthcare organizations take a framework approach to securing EHRs. Kaiser, Baylor Health Systems and a number of other healthcare organizations came together in a collaboration with HITRUST and developed the CSF for the healthcare industry a couple of years ago. Hospitals and health systems need to protect electronic personal health information (PHI) and PHI outside the EHR, said Jones. Finding a solution that can be implemented and tested once that can satisfy many requirements is ideal, he said.

“Meaningful use should not be a siloed approach,” said Jones. Security should be a line item in the meaningful use initiative. “Being compliant doesn’t mean you’re secure,” he added. “You’re going to need technology solutions that are data centric.”

[See also: Meaningful use top priority for healthcare executives.]

Reid Oakes, senior director of healthcare technology for Oracle, noted that technology solutions should look across the entire enterprise within the integrated framework approach. Once hospitals and health systems determine what they are trying to secure and where it is, they need to build, from the top down, a data map that encompasses business and clinical processes, and then deploy the technology.

Oakes took a deep dive into the various types of solutions for protecting data, including database security, identity management and information rights management to the data. An information rights management solution, for example, should be able to provide document-level access control, as well as provide control on the policy level to be able to de-identify the data, he said.

“You have to secure data in the right places and dynamically manage access,” Oakes said. “You have to look at security as a constant iterative process.”