Risk
5/15/2012
10:12 AM
50%
50%

ONC To Medical Practices: Get A Security Officer

An Office of the National Coordinator for Health Information Technology guide calls for medical offices to select a privacy and security officer.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
As part of a 10-step plan to protect patient data, the Office of the National Coordinator for Health Information Technology (ONC) recommends that medical practices establish a privacy and security officer who will be responsible for developing and maintaining policies and procedures that safeguard patient data.

The ONC's Guide to Privacy and Security of Health Information also recommends that medical practices record all of their practice decisions, findings, and actions related to safeguarding patient information. Additionally, these organizations should conduct a security risk analysis that compares what is legally and pragmatically required to safeguard patient information with what their current security system is capable of delivering.

The guide posits that the privacy and security of patients' health information is critical to the success of a medical practice. It states, "In your medical practice, patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality. As you know, patients who trust their health information will be kept private and secure will be more willing to discuss their symptoms, conditions, and past and present risk behaviors."

The document adds, "Trust is clinically important and a key business asset. How your practice handles patient information is an important aspect of this trust."

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

The guide is being released against the background of several highly publicized patient data breaches that have compromised the privacy and security of personal health information belonging to millions of individuals.

Prepared by ONC's Office of the Chief Privacy Officer (OCPO) in collaboration with the American Health Information Management Association (AHIMA) Foundation, the guide outlines what healthcare providers must do as they integrate privacy and security into their clinical practice, including sections that address privacy and security and Meaningful Use. It also gives security risk analysis and management tips and suggests ways to work with electronic health records (EHR) and health IT vendors. The document also points health providers to health IT privacy and security resources.

In an interview with InformationWeek Healthcare, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments for medical providers, noted that the document's emphasis on physician offices and medical group practices that are adopting EHRs suggests that ONC recognizes that these practices' employees have little or no IT security training.

According to Berger, these medical practices are especially vulnerable to security breaches as they computerize more patient data. Furthermore, as the healthcare industry tries to meet security and privacy requirements under Meaningful Use Stage 2, which calls for greater electronic exchange of data between healthcare provider organizations, the risk for data breaches will rise.

"While the focus is on meeting Meaningful Use requirements, which is the path to receiving EHR incentive reimbursements, it is important that everyone keep their eye on the real objective at hand, which is to safeguard protected health information from data breaches," Berger said.

Other items in the 10-step plan recommended for medical practices to ensure the privacy and security of patient data:

-- Develop an action plan using the risk analysis results.

-- Manage and mitigate risks. Begin implementing your action plan and develop written and up-to-date policies and procedures about how your practice protects electronic protected health information (e-PHI).

-- Educate and train your employees. To safeguard patient information, your workforce must be trained on how to implement your policies, procedures, and security audits.

-- Communicate with patients. Emphasize the benefits of EHRs, perhaps using consumer education materials developed by other sources. Reassure patients that you have a system to proactively protect their health information privacy.

-- Update business associate agreements. Make sure your business associate agreements require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

-- Attest for the security risk analysis Meaningful Use Objective. Apply for an EHR incentive program only after you have fulfilled the security risk analysis requirement and documented your efforts.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
justaskjul
50%
50%
justaskjul,
User Rank: Apprentice
5/18/2012 | 7:57:48 PM
re: ONC To Medical Practices: Get A Security Officer
The practices that I work with that have the best rate of success achieving MU, Medical Home etc... are the ones that have a clinical compliance person on staff. Not only is this person responsible for the privacy/security aspect, they also are charged with ensuring that technology is being used in that "meaningful way."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3407
Published: 2014-11-27
The SSL VPN implementation in Cisco Adaptive Security Appliance (ASA) Software 9.3(.2) and earlier does not properly allocate memory blocks during HTTP packet handling, which allows remote attackers to cause a denial of service (memory consumption) via crafted packets, aka Bug ID CSCuq68888.

CVE-2014-4829
Published: 2014-11-27
Cross-site request forgery (CSRF) vulnerability in IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allows remote attackers to hijack the authentication of arbitrary users for requests tha...

CVE-2014-4831
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to hijack sessions via unspecified vectors.

CVE-2014-4832
Published: 2014-11-27
IBM Security QRadar SIEM and QRadar Risk Manager 7.1 before MR2 Patch 9 and 7.2 before 7.2.4 Patch 1, and QRadar Vulnerability Manager 7.2 before 7.2.4 Patch 1, allow remote attackers to obtain sensitive cookie information by sniffing the network during an HTTP session.

CVE-2014-4883
Published: 2014-11-27
resolv.c in the DNS resolver in uIP, and dns.c in the DNS resolver in lwIP 1.4.1 and earlier, does not use random values for ID fields and source ports of DNS query packets, which makes it easier for man-in-the-middle attackers to conduct cache-poisoning attacks via spoofed reply packets.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?