Risk
5/15/2012
10:12 AM
Connect Directly
RSS
E-Mail
50%
50%

ONC To Medical Practices: Get A Security Officer

An Office of the National Coordinator for Health Information Technology guide calls for medical offices to select a privacy and security officer.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
As part of a 10-step plan to protect patient data, the Office of the National Coordinator for Health Information Technology (ONC) recommends that medical practices establish a privacy and security officer who will be responsible for developing and maintaining policies and procedures that safeguard patient data.

The ONC's Guide to Privacy and Security of Health Information also recommends that medical practices record all of their practice decisions, findings, and actions related to safeguarding patient information. Additionally, these organizations should conduct a security risk analysis that compares what is legally and pragmatically required to safeguard patient information with what their current security system is capable of delivering.

The guide posits that the privacy and security of patients' health information is critical to the success of a medical practice. It states, "In your medical practice, patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality. As you know, patients who trust their health information will be kept private and secure will be more willing to discuss their symptoms, conditions, and past and present risk behaviors."

The document adds, "Trust is clinically important and a key business asset. How your practice handles patient information is an important aspect of this trust."

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

The guide is being released against the background of several highly publicized patient data breaches that have compromised the privacy and security of personal health information belonging to millions of individuals.

Prepared by ONC's Office of the Chief Privacy Officer (OCPO) in collaboration with the American Health Information Management Association (AHIMA) Foundation, the guide outlines what healthcare providers must do as they integrate privacy and security into their clinical practice, including sections that address privacy and security and Meaningful Use. It also gives security risk analysis and management tips and suggests ways to work with electronic health records (EHR) and health IT vendors. The document also points health providers to health IT privacy and security resources.

In an interview with InformationWeek Healthcare, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments for medical providers, noted that the document's emphasis on physician offices and medical group practices that are adopting EHRs suggests that ONC recognizes that these practices' employees have little or no IT security training.

According to Berger, these medical practices are especially vulnerable to security breaches as they computerize more patient data. Furthermore, as the healthcare industry tries to meet security and privacy requirements under Meaningful Use Stage 2, which calls for greater electronic exchange of data between healthcare provider organizations, the risk for data breaches will rise.

"While the focus is on meeting Meaningful Use requirements, which is the path to receiving EHR incentive reimbursements, it is important that everyone keep their eye on the real objective at hand, which is to safeguard protected health information from data breaches," Berger said.

Other items in the 10-step plan recommended for medical practices to ensure the privacy and security of patient data:

-- Develop an action plan using the risk analysis results.

-- Manage and mitigate risks. Begin implementing your action plan and develop written and up-to-date policies and procedures about how your practice protects electronic protected health information (e-PHI).

-- Educate and train your employees. To safeguard patient information, your workforce must be trained on how to implement your policies, procedures, and security audits.

-- Communicate with patients. Emphasize the benefits of EHRs, perhaps using consumer education materials developed by other sources. Reassure patients that you have a system to proactively protect their health information privacy.

-- Update business associate agreements. Make sure your business associate agreements require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

-- Attest for the security risk analysis Meaningful Use Objective. Apply for an EHR incentive program only after you have fulfilled the security risk analysis requirement and documented your efforts.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
justaskjul
50%
50%
justaskjul,
User Rank: Apprentice
5/18/2012 | 7:57:48 PM
re: ONC To Medical Practices: Get A Security Officer
The practices that I work with that have the best rate of success achieving MU, Medical Home etc... are the ones that have a clinical compliance person on staff. Not only is this person responsible for the privacy/security aspect, they also are charged with ensuring that technology is being used in that "meaningful way."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio