ADOWPArticle Directory on WordPress

Security attacks and data breaches are on the rise and attacks are becoming increasingly subtle and sophisticated. Protecting critical assets is getting tougher for healthcare organizations.

In fact, every time we hear about a security breech, the entire industry – and individual users of healthcare (every one of us) is forced to focus on whether personal information is safe and secure. There is no choice. Healthcare entities must do more to better protect the security and confidentiality of patient health information and the increasingly connected healthcare networks.

To that end, the U.S. Department of Health and Human Services (HHS) is pushing for adoption of health information technology, which calls for a new level of safety and security in technology infrastructures. It also continues to encourage the widespread use of electronic data exchange in the U.S. healthcare system.

Getting on Board

This is not a question of “if,” but of “when.” To remain competitive, healthcare organizations will need to take advantage of the 21^st Century “connected healthcare infrastructure” in delivering quality of care. To achieve compliance with HIPAA and other industry regulations such as the Health Information Technology for Economic and Clinical Health Act (HITECH Act) , a company must secure its enterprise and how it shares data. True, electronic data exchange, HITECH Act, HIPAA rules, and the Joint Commission Information Management Readiness Standards pose tough information security challenges. But there really is no choice.

Companies must abide by these technology risk management and information security standards for the use and dissemination of healthcare information—or face strict penalties for noncompliance or loss of accreditation. Make no mistake about it. The HHS is proving true to its word that it can, and will, act on HIPAA violations. For example, effective January 2009, the HITECH Act amends parts of HIPAA and includes improved security and enforcement provisions that require:

• Application of HIPAA security provisions and penalties to “business associates” of covered entities. (Previously, HIPAA required “satisfactory assurance,” only.)
• Notification in the case of a breach and posting of such breaches on the HHS public website. (This includes covered entities, business associates, vendors, and 3rd party service providers.)
• Tiered increase in potential amount of civil monetary penalties. For example, a violation due to “willful neglect” can result in at least $50K per violation up to a total of $1.5MM in a calendar year.
• Enforcement by State Attorneys General, in addition to the existing HHS Centers for Medicare and Medicaid Services (CMS) and Office of Civil Rights (OCR) enforcement powers.

Additionally, the Joint Commission recently updated accreditation standards for healthcare organizations, with stricter requirements around information security, privacy, and technology risk.

To employ electronic data exchange capabilities and achieve regulatory compliance, a company needs insight, resources, and automated solutions to establish a clinical culture of continuous risk management and security that protects sensitive patient information. Security Information Management (SIM) allows healthcare organizations to implement appropriate security procedures as measured by the HITECH Act, HIPAA, and Joint Commission standards. In the event of a security breach, SIM offers the tools to prove that a company has taken all reasonable precautions to protect patient data.

A closer look at compliance mandates shows why healthcare organizations struggle to comply—and how SIM can eliminate compliance hurdles and secure your enterprise.

Why is HIPAA Important?

Governed by HHS, HIPAA Title II defines numerous offenses associated with healthcare and healthcare-related information. The most significant provisions of Title II for IT organizations are its Administrative Simplification rules. Per the requirements of Title II, HHS established five rules regarding Administrative Simplification:

• Privacy Rule
• Transactions and Code Sets Rule
• Security Rule
• Unique Identifiers Rule
• Enforcement Rule

Various security standards apply to each of these rules, particularly for the Security Rule, which establishes three main security objectives: Administrative Safeguards, Physical Safeguards, and Technical Safeguards.

Yet, according to the rules, how a company satisfies individual security requirements and which technology it chooses is left to its own discretion. To get there, you must assess your organization’s unique risk and develop security measures accordingly.  And, if you fail to comply? Healthcare organizations can face imprisonment and fines up to a total of $1.5MM in a calendar year for wrongful disclosure of individually identifiable health information.

The bottom line is that a fundamental benefit of HIPAA is that it encourages the wider use of electronic transactions, greatly simplifying healthcare administration and reducing administrative overhead costs. With the computerization of patient medical records, healthcare organizations face an increased security risk from various sources, such as unauthorized internal access, intrusion attempts, and other security attacks. HIPAA therefore mandates that companies take security measures to protect this sensitive data, ensuring that only patients and their healthcare providers have access to patient medical information.

To comply with HIPAA regulations and protect patient information, healthcare organizations are tasked with updating their legacy computer systems, ramping up their information security capabilities, and defining and implementing business processes that align with security objectives. To address the HIPAA Security Rule and ensure that Administrative, Physical, and Technical Safeguards are implemented that will lead to HIPAA compliance, a comprehensive and effective information security program is necessary.

Conclusion

Healthcare establishments are turning to information security best practices of risk and vulnerability measurement to ensure the integrity, confidentiality, and availability of patient systems and data. A fully implemented SIM solution, along with alignment of human, process, and information controls, enables healthcare organizations and related agencies to meet HIPAA and other information security mandates and objectives. Through SIM, a company can leverage existing technology and tools to identify, assess, and report on security-related issues and events for patient data, and ultimately provide tangible evidence of efforts.

Merryl Zdatny is senior director of marketing for netForensics, a security information management firm that helps companies in every industry see and eliminate threats, secure valuable assets, and solve pressing compliance challenges.

Be Sociable, Share!

•