HIT security panel troubled by risk assessment void

A Health & Human Services Department advisory panel on privacy and security expressed concerns Monday over the inability of many healthcare providers to perform basic risk assessments of their health information assets, a tenet of the proposed "meaningful use" guidelines just released by the Centers for Medicare and Medicaid Services.

Dixie Baker, a member of the privacy and security workgroup of the Health IT Policy Committee, said she was surprised by a 2009 survey discussed at a recent HHS Health IT Standards Committee meeting that showed that 48 percent of the responding providers, mostly hospitals, performed no risk assessment. "Up until that testimony, I thought most people were doing a risk assessment and would look at this [rule] and say that that sounds pretty reasonable," said Baker, who is co-chair of the Standard Committee's security workgroup and chief technology officer for health solutions at SAIC. "The fact is that they are not doing the risk assessment to begin with, which makes me question their capability or motivation to do this measure for meaningful use," she added.