Securing Health Care Records: Jury Is Out on Industry Competence

 
 
By Chris Preimesberger  |  Posted 2015-07-22
 
 
 
 
 
 
 
 
 
  • Previous
    Securing Health Care Records: Jury Is Out on Industry Competence
    Next

    Securing Health Care Records: Jury Is Out on Industry Competence

    By Chris Preimesberger
  • Previous
    Emerging Threats in Health Care
    Next

    Emerging Threats in Health Care

    Although hackers make up one of the top five threats listed by survey responders in health care, they don't top the chart as some might think. When it comes to the biggest threat that organizations face, according to survey responders, 28 percent agreed that No. 1 is their own business associates taking inadequate security precautions for protected health information (PHI). Human error and simple negligence can lead to huge threats to both an organization and its customers, especially in health care.
  • Previous
    Top Priorities
    Next

    Top Priorities

    The U.S. Department of Health and Human Services (HHS) has identified the need for improved interoperability of electronic health records systems as a key to easing national exchange of health information in order to improve treatment. However, while about half of the respondents said interoperability is important, they also said it should not be a top priority for regulators, because there are other more urgent issues. The top five information security priorities are 1) improving regulatory compliance; 2) improving security awareness and training; 3) preventing and detecting breaches; 4) updating business continuity/disaster recovery plans; and 5) monitoring HIPAA compliance of business associates.
  • Previous
    Mobile Device Protection Must Be Improved
    Next

    Mobile Device Protection Must Be Improved

    The growing use of mobile devices, including those that come under bring-your-own-device (BYOD) policies), is cited as the second-largest security threat organizations face. In fact, lost and stolen unencrypted devices have consistently been culprits in HIPAA breaches reported to HHS. Keeping data off mobile devices through the use of proper security technology is the best way to avoid having a device and its content fall into the wrong hands.
  • Previous
    Access to Data Needs to Be Tightened
    Next

    Access to Data Needs to Be Tightened

    When it comes to accessing electronic health records, usernames and passwords are still by far the dominant method of authentication employed for on-site users; this is followed by the use of tap-and-go badges. The same is true when remote users access data while on the job at an organization's offsite facilities. When providing clinicians with remote access to systems, nearly half of organizations polled use a VPN. Forty-five percent encrypt all data accessed remotely, and nearly one-third require the use of multi-factor authentication.
  • Previous
    Risk Assessments Need to Happen More Often
    Next

    Risk Assessments Need to Happen More Often

    HHS has emphasized the need to perform thorough and timely security risk assessments as a key compliance requirement in HIPAA. Three quarters of the survey respondents said their organizations conducted a security risk assessment in 2014. Given that this number is the same as last year's, there is still room for improvement. By far, the most common result of those risk assessments is that organizations revise or update their security policies. Nearly half of respondents say they've implemented new security technologies or revamped security education programs in response to risk-assessment findings.
  • Previous
    Confidence in Cloud Computing Security Still Not Good
    Next

    Confidence in Cloud Computing Security Still Not Good

    While the use of cloud computing has grown in many industries, when it comes to health care, only 64 percent of respondents said their organizations use it, which is not surprising, considering the increased fear of having important information stored in the cloud. In fact, of the 64 percent using cloud services, only about one-third are confident in their vendor's security and policy procedures.
  • Previous
    Governance Strategy Should Be More Prevalent
    Next

    Governance Strategy Should Be More Prevalent

    Having a security strategy in place is extremely important when it comes to PHI and ensuring privacy. The National Institute of Standards and Technology framework is used by more than half of organizations as the basis of their information security programs, followed by hybrid models and the HITRUST (Health Information Trust Alliance) Common Security Framework. Findings from the survey show that nearly 60 percent of organizations do, in fact, have a documented security strategy.
  • Previous
    Skilled Staffing a Requirement
    Next

    Skilled Staffing a Requirement

    Securing PHI is not all about the technology and policies in place. A benefit to companies is having talented staff in place. Two-thirds of organizations reported having a full-time chief information security officer (CISO) or equivalent role to oversee information security. As for organizations looking to hire in 2015, knowledge of privacy and security issues in health care is the most sought-after expertise, followed by risk assessment and security audit skills.
  • Previous
    The Bottom Lines: Improvements Needed, Awareness Increasing
    Next

    The Bottom Lines: Improvements Needed, Awareness Increasing

    The survey results do prove a failure among health-care organizations to implement some basic safeguards called for in the HIPAA Privacy Rule. More advanced information security technologies and practices should be in place to bring more robust protection. However, the industry continues to become more aware of the importance of all the elements needed to keep PHI safe and out of the wrong hands.
 

Health care organizations are coming to grips with new-generation methods of record-keeping. With the world moving away from paper and over to digital, there may be no choice. But are they doing an adequate job of complying with Health Insurance Portability and Accountability Act (HIPAA) regulations to ensure the privacy and security of patient data? According to a recent study conducted jointly by Information Security Media Group and email data protection company, Zix Corp., 79 percent of respondents were confident or very confident that their organization would pass a Department of Health and Human Services HIPAA compliance audit. That indicates they believe they're making all the right moves. But are they really? A closer look at additional results from the 2015 survey indicates that many organizations are still falling short in applying key technologies and practices to protect patient data against many current and emerging cyber-threats. In this eWEEK slide show, we dive a bit deeper into the survey's findings to see where things really stand.

 
 
 
 
 
Chris Preimesberger Chris Preimesberger was named Editor-in-Chief of Features & Analysis at eWEEK in November 2011. Previously he served eWEEK as Senior Writer, covering a range of IT sectors that include data center systems, cloud computing, storage, virtualization, green IT, e-discovery and IT governance. His blog, Storage Station, is considered a go-to information source. Chris won a national Folio Award for magazine writing in November 2011 for a cover story on Salesforce.com and CEO-founder Marc Benioff, and he has served as a judge for the SIIA Codie Awards since 2005. In previous IT journalism, Chris was a founding editor of both IT Manager's Journal and DevX.com and was managing editor of Software Development magazine. His diverse resume also includes: sportswriter for the Los Angeles Daily News, covering NCAA and NBA basketball, television critic for the Palo Alto Times Tribune, and Sports Information Director at Stanford University. He has served as a correspondent for The Associated Press, covering Stanford and NCAA tournament basketball, since 1983. He has covered a number of major events, including the 1984 Democratic National Convention, a Presidential press conference at the White House in 1993, the Emmy Awards (three times), two Rose Bowls, the Fiesta Bowl, several NCAA men's and women's basketball tournaments, a Formula One Grand Prix auto race, a heavyweight boxing championship bout (Ali vs. Spinks, 1978), and the 1985 Super Bowl. A 1975 graduate of Pepperdine University in Malibu, Calif., Chris has won more than a dozen regional and national awards for his work. He and his wife, Rebecca, have four children and reside in Redwood City, Calif.Follow on Twitter: editingwhiz
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
Rocket Fuel