Risk
5/15/2012
10:12 AM
Connect Directly
RSS
E-Mail
50%
50%

ONC To Medical Practices: Get A Security Officer

An Office of the National Coordinator for Health Information Technology guide calls for medical offices to select a privacy and security officer.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
As part of a 10-step plan to protect patient data, the Office of the National Coordinator for Health Information Technology (ONC) recommends that medical practices establish a privacy and security officer who will be responsible for developing and maintaining policies and procedures that safeguard patient data.

The ONC's Guide to Privacy and Security of Health Information also recommends that medical practices record all of their practice decisions, findings, and actions related to safeguarding patient information. Additionally, these organizations should conduct a security risk analysis that compares what is legally and pragmatically required to safeguard patient information with what their current security system is capable of delivering.

The guide posits that the privacy and security of patients' health information is critical to the success of a medical practice. It states, "In your medical practice, patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality. As you know, patients who trust their health information will be kept private and secure will be more willing to discuss their symptoms, conditions, and past and present risk behaviors."

The document adds, "Trust is clinically important and a key business asset. How your practice handles patient information is an important aspect of this trust."

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

The guide is being released against the background of several highly publicized patient data breaches that have compromised the privacy and security of personal health information belonging to millions of individuals.

Prepared by ONC's Office of the Chief Privacy Officer (OCPO) in collaboration with the American Health Information Management Association (AHIMA) Foundation, the guide outlines what healthcare providers must do as they integrate privacy and security into their clinical practice, including sections that address privacy and security and Meaningful Use. It also gives security risk analysis and management tips and suggests ways to work with electronic health records (EHR) and health IT vendors. The document also points health providers to health IT privacy and security resources.

In an interview with InformationWeek Healthcare, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments for medical providers, noted that the document's emphasis on physician offices and medical group practices that are adopting EHRs suggests that ONC recognizes that these practices' employees have little or no IT security training.

According to Berger, these medical practices are especially vulnerable to security breaches as they computerize more patient data. Furthermore, as the healthcare industry tries to meet security and privacy requirements under Meaningful Use Stage 2, which calls for greater electronic exchange of data between healthcare provider organizations, the risk for data breaches will rise.

"While the focus is on meeting Meaningful Use requirements, which is the path to receiving EHR incentive reimbursements, it is important that everyone keep their eye on the real objective at hand, which is to safeguard protected health information from data breaches," Berger said.

Other items in the 10-step plan recommended for medical practices to ensure the privacy and security of patient data:

-- Develop an action plan using the risk analysis results.

-- Manage and mitigate risks. Begin implementing your action plan and develop written and up-to-date policies and procedures about how your practice protects electronic protected health information (e-PHI).

-- Educate and train your employees. To safeguard patient information, your workforce must be trained on how to implement your policies, procedures, and security audits.

-- Communicate with patients. Emphasize the benefits of EHRs, perhaps using consumer education materials developed by other sources. Reassure patients that you have a system to proactively protect their health information privacy.

-- Update business associate agreements. Make sure your business associate agreements require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

-- Attest for the security risk analysis Meaningful Use Objective. Apply for an EHR incentive program only after you have fulfilled the security risk analysis requirement and documented your efforts.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
justaskjul
50%
50%
justaskjul,
User Rank: Apprentice
5/18/2012 | 7:57:48 PM
re: ONC To Medical Practices: Get A Security Officer
The practices that I work with that have the best rate of success achieving MU, Medical Home etc... are the ones that have a clinical compliance person on staff. Not only is this person responsible for the privacy/security aspect, they also are charged with ensuring that technology is being used in that "meaningful way."
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2012-1032
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in the Euroling SiteSeeker module 3.x before 3.4.5 for EPiServer allows remote attackers to inject arbitrary web script or HTML via unspecified vectors. NOTE: the provenance of this information is unknown; the details are obtained solely from third party inf...

CVE-2012-1417
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in Local Phone book and Blacklist form in Yealink VOIP Phones allow remote authenticated users to inject arbitrary web script or HTML via the user field to cgi-bin/ConfigManApp.com.

CVE-2012-1506
Published: 2014-09-17
SQL injection vulnerability in the updateStatus function in lib/models/benefits/Hsp.php in OrangeHRM before 2.7 allows remote authenticated users to execute arbitrary SQL commands via the hspSummaryId parameter to plugins/ajaxCalls/haltResumeHsp.php. NOTE: some of these details are obtained from th...

CVE-2012-1507
Published: 2014-09-17
Multiple cross-site scripting (XSS) vulnerabilities in OrangeHRM before 2.7 allow remote attackers to inject arbitrary web script or HTML via the (1) newHspStatus parameter to plugins/ajaxCalls/haltResumeHsp.php, (2) sortOrder1 parameter to templates/hrfunct/emppop.php, or (3) uri parameter to index...

CVE-2012-2583
Published: 2014-09-17
Cross-site scripting (XSS) vulnerability in Mini Mail Dashboard Widget plugin 1.42 for WordPress allows remote attackers to inject arbitrary web script or HTML via the body of an email.

Best of the Web
Dark Reading Radio