Risk
11/1/2012
04:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

4 Best Practices: Combat Health Data Breaches

Senior health IT experts offer tips on how to bolster security and create a culture of privacy and compliance.

10 Wearable Health Gadgets
10 Wearable Health Gadgets
(click image for larger view and for slideshow)
Data breaches in healthcare are rising at an alarming rate, and within the past two years, nearly 20 million patient records have been compromised, according to the U.S. Department of Health and Human Services (HHS). Recently, the American Hospital Association brought together five senior executives to discuss security, compliance, and legal issues regarding best practices and how to create a culture of organizational compliance.

In the seminar, "Manage Data Breach Incidents and Improve Patient Privacy in Major Care Systems," experts discussed how to achieve organizational alignment around patient privacy across large organizations, how to mitigate the financial and reputational risks of a data breach, and specific ways to gain support from both the board and executives to create and maintain a culture of privacy. Experts included Kimberly Holmes, deputy product manager of healthcare at Chubb Group of Insurance Companies; Cheryl A. Parham, associate general counsel at New York-Presbyterian Hospital; Meredith Phillips, chief privacy officer at Henry Ford Health Systems; Marcy Wilder, co-chair of the Global Privacy and Information Group at Hogan Lovells; and Doug Pollack, chief strategy officer at ID Experts.

InformationWeek Healthcare spoke with Pollack, who recapped the four tips experts shared to make patient privacy and security part of an organization's culture.

1. Encrypt, Encrypt, Encrypt.

During the panel, Holmes outlined a core message, said Pollack, which was "simple and easy" but could substantially improve an organization's ability to maintain patient privacy. "That's encryption," said Pollack. "It’s particularly important and necessary to emphasize now because of the new device world we're moving into." Healthcare, he continued, is a "very aggressive" adopter of mobile technology, particularly tablets, and although encryption technology is often available, people might not focus on it as much as they should.

"A lot of times, when they're dealing with BYOD, they may not understand the need to maintain privacy and the importance of using encryption," said Pollack. "[We need to] get people focused on the one simple thing they can do in the security space and move the needle in terms of protecting patient privacy. Encryption is one of those rare focus areas that can make a huge difference."

2. Prepare For A Breach.

New York-Presbyterian's Parham said during the panel that when dealing with a large hospital system, the question isn't if, but when an organization will encounter a data breach. "It's a fact of life within the healthcare world that data is liquid; it needs to move around so much that it's impossible to completely eliminate breaches," said Pollack. "Her point was…it's important to have a plan in place that will dictate how you operate in the context of a breach."

Pollack added it’s important to understand who your first responders are, and, more importantly, how they will react in the situation. A common issue, though, is how often organizations will develop a response plan, "and then stick it in a file and that's it," he said. "We’re increasingly finding … hospitals are interested in testing their response plan. They'll assemble folks and do a table-top walk through of a sample data breach." By doing so, an organization can operationalize their response. "It can make a big difference as to whether you successfully or unsuccessfully deal with an incident," Pollack said.

3. Assess Privacy And Security Compliance Annually.

Even though it's required under HIPAA, said Pollack, many organizations still fail to perform a compliance assessment every year. "[Make] it part of your organizational DNA," he said. "Organizations need to get in the rhythm of doing it." Just as an organization develops its operating plan every year, it also needs to schedule and carry out a privacy and security assessment, "so they're budgeted and expected," he said. "The good news is by doing them, it'll help keep you out of trouble when you inevitably face an investigation by Office for Civil Rights (OCR), where they decide whether you've been acting poorly or not."

4. Find Gaps And Close Them.

Phillips spoke on how to find the security gaps within an organization and close them, and described what she and her team have done at Henry Ford Health System. "She talked about a natural follow-up to the assessment process, which is helpful to identify issues and do something about them," said Pollack. Phillips also said that she and her organization keep the OCR updated on the issues they have identified and are working to fix. "That’s to preempt any concerns or issues by illustrating your proactive efforts to address patient privacy," said Pollack.

Global Privacy's Wilder "wrapped a bow" around all the points executives made when it came to how to prepare for and combat against data breaches, said Pollack. To summarize, "encryption and culture come in, and organizations need to be prepared when breaches occur," he said. "[They] need to be transparent and especially transparent not only to those affected, but also to the regulatory systems, specifically OCR."

InformationWeek Healthcare brought together eight top IT execs to discuss BYOD, Meaningful Use, accountable care, and other contentious issues. Also in the new, all-digital CIO Roundtable issue: Why use IT systems to help cut medical costs if physicians ignore the cost of the care they provide? (Free with registration.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Harry142
50%
50%
Harry142,
User Rank: Apprentice
3/21/2013 | 7:36:04 PM
re: 4 Best Practices: Combat Health Data Breaches
Today EMR is the best implementation of Health Care IT under the Health Insurance Portability and Accountability Act (HIPAA), which protects patient privacy and sets security standards for electronic health records.

http://www.healthsecuritysolut...
MTECHNOLOGY000
50%
50%
MTECHNOLOGY000,
User Rank: Apprentice
11/5/2012 | 1:35:29 PM
re: 4 Best Practices: Combat Health Data Breaches
I agree with Jeff. Encryption, preparation, annual reviews, and closing gaps are all vital components of best practices but without a concerted effort to ingrain patient data protection into the culture of an organization, efforts will be futile.
jbrandt977
50%
50%
jbrandt977,
User Rank: Apprentice
11/2/2012 | 7:06:02 PM
re: 4 Best Practices: Combat Health Data Breaches
Great article except you missed one of the most important Best Practices. POLICIES and PROCEDURES, This is the easiest and best way to protect your organization. Most breaches are "Sneaker Thief" the data just walks out the door. I just competed working on the strategy for mHIMSS upcoming Roadmap on Privacy and Security. We go into detail of your 4 BP.

good work,

Jeff Brandt
@jeffbrandt
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7407
Published: 2014-10-22
Cross-site request forgery (CSRF) vulnerability in the MRBS module for Drupal allows remote attackers to hijack the authentication of unspecified victims via unknown vectors.

CVE-2014-3675
Published: 2014-10-22
Shim allows remote attackers to cause a denial of service (out-of-bounds read) via a crafted DHCPv6 packet.

CVE-2014-3676
Published: 2014-10-22
Heap-based buffer overflow in Shim allows remote attackers to execute arbitrary code via a crafted IPv6 address, related to the "tftp:// DHCPv6 boot option."

CVE-2014-3677
Published: 2014-10-22
Unspecified vulnerability in Shim might allow attackers to execute arbitrary code via a crafted MOK list, which triggers memory corruption.

CVE-2014-3828
Published: 2014-10-22
Multiple SQL injection vulnerabilities in Centreon 2.5.1 and Centreon Enterprise Server 2.2 allow remote attackers to execute arbitrary SQL commands via (1) the index_id parameter to views/graphs/common/makeXML_ListMetrics.php, (2) the sid parameter to views/graphs/GetXmlTree.php, (3) the session_id...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.