- 18 Hot IT Certifications for 2014
- CIOs Opting for IT Contractors Over Hiring Full-Time Staff
- 12 Best Free iOS 7 Holiday Shopping Apps
- For CMOs Big Data Can Lead to Big Profits
CIO - As healthcare prepares for the Sept. 23 compliance deadline for the HIPAA Omnibus Rule, the industry finds itself at a crossroads.
On one the hand, the rule - published in January 2013 and effective March 26 - effectively brings HIPAA (enacted in 1996) into the 21st century and finalizes the new security and privacy safeguards required by the HITECH Act of 2009.
On the other hand, hardly a day goes by without a report of a (largely preventable) patient data breach from a hospital, contractor or other organization handling sensitive personal health information.
Why does healthcare struggle so much with data security? And what will it take for the industry to turn the corner?
Small Practices Especially Susceptible to Breaches
Since the fall of 2009, the U.S. Department of Health & Human Services (HHS) has, per the HITECH Act, published a list of data breaches affecting 500 or more patients. As of mid-September 2013, about 660 breaches had been reported.
A healthcare data breach analysis published by the Health Information Trust Alliance ( HITRUST) at the end of last year notes that data theft outnumbers all other causes of data breaches combined - loss, unauthorized data access or disclosure, incorrect mailing, improper record disposal and hacking. Since 2009, hospitals and health insurers have reported fewer breaches, which suggests that they are getting better at preventing data loss, but academic institutions and especially physician practices struggle to address the issue, HITRUST says.
Analysis: 11 Ways to Make Healthcare IT Easier
Small, independent practices typically lack the expertise and resources to handle their own security. What further complicates the matter, HITRUST points out, is the additional need to ensure that HIPAA business associates - those consultants, contractors, cloud service providers and other entities that handle a practice's patient data - also comply with privacy and security rules.
"Where we believe many organizations falter is not identifying and restricting access to what is actually required at a data, application and network level," HITRUST says. "This leads to information leakage and, ultimately, high-profile breaches when they do occur."
Take HIPAA Security Risk Analysis Seriously
It's for this reason that the federal meaningful use incentive program and the HIPAA Security Rule require healthcare organizations to conduct a risk analysis that examines the "confidentiality, integrity, and availability of electronic protected health information" (ePHI) that the organization holds. (Having such an agreement in place also tends to lessen the severity of the penalties levied by the HHS Office for Civil Rights if a breach does occur.
At the outset, a risk analysis should cover the basics, says Christopher Hourihan, principal research analyst with HITRUST. This includes establishing policies, setting up a basic firewall, installing antivirus software, encrypting data and hardware, and training employees.
Organizations can't be afraid to restrict access to data, applications or auxiliary devices, adds Robb S. Harvey, a partner with the law firm Waller Lansden Dortch & Davis LLP. This isn't always easy, as doctors and executives alike often want access to all data, all the time. Meanwhile, training must encompass data security, of course, but it also must cover how to behave in the event of a breach - who to contact, what types of services to make available to patients, and so on.