Risk
5/15/2012
10:12 AM
50%
50%

ONC To Medical Practices: Get A Security Officer

An Office of the National Coordinator for Health Information Technology guide calls for medical offices to select a privacy and security officer.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
As part of a 10-step plan to protect patient data, the Office of the National Coordinator for Health Information Technology (ONC) recommends that medical practices establish a privacy and security officer who will be responsible for developing and maintaining policies and procedures that safeguard patient data.

The ONC's Guide to Privacy and Security of Health Information also recommends that medical practices record all of their practice decisions, findings, and actions related to safeguarding patient information. Additionally, these organizations should conduct a security risk analysis that compares what is legally and pragmatically required to safeguard patient information with what their current security system is capable of delivering.

The guide posits that the privacy and security of patients' health information is critical to the success of a medical practice. It states, "In your medical practice, patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality. As you know, patients who trust their health information will be kept private and secure will be more willing to discuss their symptoms, conditions, and past and present risk behaviors."

The document adds, "Trust is clinically important and a key business asset. How your practice handles patient information is an important aspect of this trust."

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

The guide is being released against the background of several highly publicized patient data breaches that have compromised the privacy and security of personal health information belonging to millions of individuals.

Prepared by ONC's Office of the Chief Privacy Officer (OCPO) in collaboration with the American Health Information Management Association (AHIMA) Foundation, the guide outlines what healthcare providers must do as they integrate privacy and security into their clinical practice, including sections that address privacy and security and Meaningful Use. It also gives security risk analysis and management tips and suggests ways to work with electronic health records (EHR) and health IT vendors. The document also points health providers to health IT privacy and security resources.

In an interview with InformationWeek Healthcare, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments for medical providers, noted that the document's emphasis on physician offices and medical group practices that are adopting EHRs suggests that ONC recognizes that these practices' employees have little or no IT security training.

According to Berger, these medical practices are especially vulnerable to security breaches as they computerize more patient data. Furthermore, as the healthcare industry tries to meet security and privacy requirements under Meaningful Use Stage 2, which calls for greater electronic exchange of data between healthcare provider organizations, the risk for data breaches will rise.

"While the focus is on meeting Meaningful Use requirements, which is the path to receiving EHR incentive reimbursements, it is important that everyone keep their eye on the real objective at hand, which is to safeguard protected health information from data breaches," Berger said.

Other items in the 10-step plan recommended for medical practices to ensure the privacy and security of patient data:

-- Develop an action plan using the risk analysis results.

-- Manage and mitigate risks. Begin implementing your action plan and develop written and up-to-date policies and procedures about how your practice protects electronic protected health information (e-PHI).

-- Educate and train your employees. To safeguard patient information, your workforce must be trained on how to implement your policies, procedures, and security audits.

-- Communicate with patients. Emphasize the benefits of EHRs, perhaps using consumer education materials developed by other sources. Reassure patients that you have a system to proactively protect their health information privacy.

-- Update business associate agreements. Make sure your business associate agreements require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

-- Attest for the security risk analysis Meaningful Use Objective. Apply for an EHR incentive program only after you have fulfilled the security risk analysis requirement and documented your efforts.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
justaskjul
50%
50%
justaskjul,
User Rank: Apprentice
5/18/2012 | 7:57:48 PM
re: ONC To Medical Practices: Get A Security Officer
The practices that I work with that have the best rate of success achieving MU, Medical Home etc... are the ones that have a clinical compliance person on staff. Not only is this person responsible for the privacy/security aspect, they also are charged with ensuring that technology is being used in that "meaningful way."
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Latest Comment: nice one good
Current Issue
E-Commerce Security: What Every Enterprise Needs to Know
The mainstream use of EMV smartcards in the US has experts predicting an increase in online fraud. Organizations will need to look at new tools and processes for building better breach detection and response capabilities.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Join Dark Reading community editor Marilyn Cohodas in a thought-provoking discussion about the evolving role of the CISO.