Aligning healthcare management, staff to strengthen security

Technology is an important piece of the puzzle in healthcare organizations, but proper funding, people, management buy-in and process are equally important pieces.  Unfortunately, funding can be a significant challenge for many organizations.  The third annual Benchmark Study on Patient Privacy & Security by the Ponemon Institute, which was released in December 2012, showed that only 27% of those surveyed reported sufficient resources, while 34% felt they had a sufficient security budget.

In order for healthcare organizations to properly organize their security priorities, buy-in from the most senior executives must be obtained.  This can be accomplished by conducting quarterly meetings with the C-suite to review changes, breaches and the short/long term goals of the security team.  Arming executives with this information will raise awareness and help to garner their support.  Vendors can also be of assistance by providing the current state of the industry, thus offering executives the opportunity to understand where their organization ranks among current security trends.

Staffing is also extremely important, as an overworked department will lessen the likelihood of a breach being discovered early on.  Given the sophistication of most hackers and internal threats, it’s suggested that healthcare organizations should have employees who’s main duty it to identify threats.  Moreover, the security administrator’s and all IT personnel should possess the skills to identify malicious behavior in addition to understanding how to deal with such incidents.  If internal employees are not skilled enough, outsourcing might need to consider outsourcing.

Utilizing these best practices with good business processes, and including other departments such as human resources or the legal department will result in an organization prepared to protect and prevent data loss.  This approach will definitely help to reduce or eliminate the impact felt by all organizations that will inevitable experience a breach.

I could not agree more with this article.  As the author stated “Healthcare decision makers often do not understand the value of investing in IT security, and no one will ever thank a security administrator for not getting breached.” Engaging executives and any other key stakeholders in an awareness campaign will certainly result in positive outcomes.  Important decisions cannot be made if leaders are not aware that they need to be made.  Moreover, lack of funding and staffing will inevitably result if leadership is not engaged.  Therefore, the key take away from this article is “Awareness!”

Article Referenced:

http://healthitsecurity.com/2013/07/25/aligning-healthcare-management-staff-to-strengthen-security/

Scrutinizing Healthcare Data Encryption Options

Data encryption is coming to the forefront in healthcare organizations due to the increased penalties associated with HIPAA violations.  Unfortunately, most hospitals are considered to be pretty outdated when it comes to encrypting and their understanding of the present options. 

A recent article in Wired listed 9 Biggest Data Encryption Myths Busted.  A few of those are believed to be relevant to healthcare.

1.     Encrypt regardless of compliance reasons- The Office for Civil Rights recommends encrypting, but it has yet to be mandated.

2.     Pair inexpensive encryption tools with knowledge of your organization- The size of the organization shouldn’t matter.  Both small and large should be encrypting all data.

3.     Cloud encryption key management has come a long way- With a business associate agreement (BAA), organizations shouldn’t have an issue with a vendor managing the key. 

4.     Encryption can be a big part of healthcare big data security

John Christly, CISO of Nova Southeastern University, has expressed concern that HIPAA only defines encrypting as addressable and not required as other elements are.  Therefore, many organizations will wait until it’s required and even more troubling is that many do not know where or what the data is coming from. 

Finally, while encryption is needed, organizations must be careful when doing so, as important data could be lost if not performed correctly.  Moreover, costs associated with the technology and education can be high, but given the risks, it’s important to ensure it is performed properly. 

Just a few weeks back I discussed USB security and how some hospitals are encrypting them as a precautionary measure.  I believe that many hospitals are waiting to begin data encryption with anything else due to the potential for numerous issues, but especially due to the fear of losing important data in the process.  In my opinion, hospitals should be encrypting all data, as the possibility of hefty fines and patient harm resulting from a data breach, could be much greater than any other risk associated with encrypting.   As a patient, I would be relieved to know that my data is being treated as carefully as and safely as possible. 

Article referenced:

Ouellette, Patrick.  (May 31, 2013).  Scrutinizing healthcare data encryption options. HealthIT Security.  Found on July 22, 2013.  Retrieved from

http://healthitsecurity.com/2013/05/31/scrutinizing-healthcare-data-encryption-options/

Big Data: Protecting Patient Privacy

Intermountain Healthcare, Deloitte Develop New Analysis Tool

Discovering important correlations between treatments and medical conditions requires a lot of digging and analysis.  Protecting patient privacy can be a challenge during this process, but Intermountain Health and Deloitte have developed a bid data analytical tool called OutcomesMiner, which Intermountain Health is using in conjunction with the electronic health record (EHR) repository to identify “clinical nuances.”  Asthma is a condition Intermountain plans to study to determine which mediations provide the best clinical outcome.

To protect patient privacy, Intermountain has patient data “curated, cleansed and de-identified” twice to ensure compliance with HIPAA privacy laws.  They’ve even hired professional statisticians to ensure data is completely de-identified. 

De-identification of data is something that Deloitte is accustomed to performing and plans to help other organizations who wish to utilize the OutcomesMiner analytical tool.

I believe this is a great tool that has the potential to change patient care on many different levels.  More importantly, if a correlation is discovered, organizations will be able to notify patients and offer the opportunity to participate in further studies if needed.  The fact that both Deloitte and Intermountain are so attuned to ensuring patient privacy and HIPAA regulations will also be a large selling point for many different types of healthcare organizations.  However, the biggest challenge they may face is understanding local and industry requirements for de-identifying and cleansing patient data.  If they are as good as they say they are, this shouldn’t be a challenge!

Article Referenced:

Kolbasuk McGee, Marianne.  (July 2, 2013).  Big Data: Protecting Patient Privacy.  HealthcareInfoSecurity.com.  Found on July 7, 2013.  Retrieved from http://www.healthcareinfosecurity.com/big-data-protecting-patient-privacy-a-5880

Office of the National Coordinator Released 2014 Priorities

The Office of the National Coordinator (ONC) for Health IT’s privacy and security priorities recently released a list of their priorities for fiscal year 2014 starting on October 1, 2013. 

For those wondering, the ONC is a division of the Department of Health and Human Services and is headed by Farzad Mostashari, MD.  ONC duties include:

1.     Administer programs to guide healthcare providers as they “meaningfully use” certified electronic health record (HER) technology under the HITECH ActEHR incentive program.

2.     Development of standards and technologies that will facilitate interoperability and secure health information exchange (HIE).

The ONC’s 2014 agenda includes:

1.     Identify and address cybersecurity threats

2.     Provide technical assistance in:

A.   Security program management.

B.    Risk management

C.    Access management

D.   Integrity management

E.    Audit management

F.    Incident management

G.   Continuity management

H.   Chains of trust controls

I.      Workforce management

J.     Media management.

3.     Work with National Institute of Technology (NIST) and others to develop frameworks that provide a foundation for patient and provider identity management, which will ensure clinical information is associated with the correct patient and/or provider.

4.     Continue to further privacy and security in future stages of the HITECH Act.

Has the ONC chosen the right privacy and security and priorities?

I believe they have chosen the appropriate priorities for security management.  My suggestion would be for the ONC to also concentrate on interoperability issues.  The number of proprietary systems in existence creates significant challenges for organizations attempting to comply with “meaningful use” initiatives.  Furthermore, critical access hospitals are struggling with just meeting mandated milestones, thus leaving security initiatives as a last priority.

Article Referenced:

Kolbasuk McGee, Marianne.  ONC’s New Privacy, Security Priorities: Office of the National Coordinator for Health IT Outlines Goals.  Safe and Sound.  Found on July 5, 2013.  Retrieved from