News Stay informed about the latest enterprise technology news and product updates.

Cost of security, IT management add up at healthcare facilities, study finds

Digitalizing healthcare records and new health systems fail to cut costs, according to new research from Harvard University. Security and other management costs add up.

Researchers at Harvard University have uncovered what could be a confounding problem facing the healthcare industry: Digitalizing healthcare records and deploying new technologies fails to provide cost benefits.

To get security news and tips delivered to your inbox,  click here to sign up for our free newsletter.

For years, hardware and software vendors have been touting the return on investment (ROI) when enterprises, including healthcare facilities, streamline and eliminate inefficient, manual processes through technology deployments. But the new Harvard University research study shows that introducing technology into hospitals and doctor offices actually increases costs associated with configuration management, upgrading systems and deploying and maintaining healthcare IT security technologies.

"Most of the systems are being sold principally to make sure the institution collects every penny it can," said the report's lead author Dr. David Himmelstein, an associate professor at Harvard Medical School. "The guts of the system are distorted by the need to make sure it's a billing system at heart."

Himmelstein and his team reviewed about 4,000 hospitals from 2003 to 2007 and found that while many had digitialized patient records to eliminate paper, administrative costs actually rose, even among the most high-tech institutions. The hospital computing and costs study, published in The American Journal of Medicine, doesn't point to specific costs such as security and configuration management, but it does find that ongoing IT administrative costs add to the bottom line once new systems are deployed. 

Healthcare security trends:

Healthcare security spending remains sluggish, report shows: Billions for electronic healthcare records aren't driving security budgets up, according to the Healthcare Information and Management Systems Society. 

Health Net healthcare data breach affects1.5 million
: A lost hard drive contained seven years of patient data including Social Security numbers and medical records of more than a million Health Net customers.

Secure your remote users in 2010: As companies shave operational costs by hiring more remote workers, IT security teams should plan to protect sensitive data being used by a highly mobile workforce in 2010.

"Clearly there are some examples of quality of care being worse because of computers and some examples where it's been better. But overall they're not saving money," Himmelstein said in an interview with "Introducing technology has a trivial effect."

The researchers analyzed hospital Medicare insurance program data and several other reports that compile government data on healthcare costs at patient facilities. They found administrative costs increased slightly from 24.4% in 2003 to 24.9% in 2007, with facilities with the fastest technology deployments seeing the highest cost increases. For systems to be beneficial and provide a true ROI, they need to focus on patient care and be deployed more slowly across an organization, Himmelstein said. The introduction of new technologies also introduces some uncertainties about healthcare privacy and security into an organization.

Privacy and security are ongoing concerns that need to be addressed during all stages of a deployment. For example, some hospitals and patient care facilities may be investigating cloud computing in which data center management is outsourced to a third-party provider.

"There are still significant issues about security and those issues need to be handled as part of clinical computing and any other setting where technology is introduced," Himmelstein said. "At this point there are hundreds of hospitals and practices putting enormous amounts of patient data online, but we've yet to see the cost benefit or the benefit of patient care."

For now, healthcare facilities continue to modernize systems and eliminate manual processes, buoyed by financial incentives from technology vendors and the federal government's push to modernize the healthcare system. The economic stimulus package approved by Congress earlier this year offers up to $19 billion in incentives to modernize healthcare systems. The goal is to prevent errors and allow greater coordination among caregivers and patients. 

Still, security spending in the healthcare industry remains sluggish at best, according to a recent survey. Despite the incentives, security accounts for 3% or less of overall IT spending in a substantial majority of healthcare organizations, virtually unchanged from last year. The survey indicated that healthcare organizations may be first focusing on converting paper records into electronic healthcare records.

Himmelstein does have some optimism for future technology deployments if they are handled correctly. He lauded the way Indianapolis' Ronald Reagan Institute of Emergency Medicine, Boston's Brigham and Women's Hospital and the Veterans Administration handled some of its technology investments in recent years, and said many of the organizations knee deep in new technology that use electronic health records, such as Kaiser Permanente and the Mayo Clinic, may deserve further study to understand the long term effects on cost.

The Health Insurance Portability and Accountability Act (HIPAA) has also been recently strengthened and forced healthcare organizations to conduct data discovery in current systems and tighten access controls. Despite being online, patient records are protected by HIPAA rules, which make it difficult for some doctors to access patient health records online. Healthcare data security is a unique problem, said analyst Ramon Krikken of the Burton Group.

"In this case you're talking about people's lives so you don't want a system to lock out a doctor when the patient needs a life saving procedure," Krikken said. "Security is very different because the fail-over must grant access when time is essential in a life or death decision."

Dig Deeper on HIPAA

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.