2012 Security Priorities: An AnalysisImproving Regulatory Compliance and Training Among Top Tasks
The Healthcare Information Security Today survey, conducted by HealthcareInfoSecurity, shows the top five priorities are:
1. Improving regulatory (HITECH Act, HIPAA, state laws, etc.) compliance efforts;
2. Improving security awareness/education for physicians, staff executives and board;
3. Improving mobile device security;
4. Updating business continuity/disaster recovery plan; and
5. Preventing and detecting internal breaches.
Complying with regulations, including the HIPAA breach notification rule, is becoming a higher priority as major breach incidents grab headlines. "Executives are seeing large breaches of patient data on front pages, and it is suddenly becoming a much stronger incentive for them to allocate resources to information security," says attorney Adam Greene of the law firm David Wright Tremaine.
In addition, the Department of Health and Human Services' Office for Civil Rights is ramping up its efforts to enforce the breach rule as well as the HIPAA privacy and security rules, creating another powerful compliance incentive. The agency has issued some major fines for violations, including a $1 million sanction against Massachusetts General Hospital. And OCR's new director, Leon Rodrigeuz, who is an experienced prosecutor, pledges to continue ramping up enforcement. ""The fact that covered entities out there know that they are at risk for penalties is something that, in fact, in many cases will promote compliance," he stresses.
Plus, OCR is launching a HIPAA compliance audit program, another catalyst for compliance.
"It's becoming increasingly clear that the age of strictly voluntary compliance with respect to HIPAA has come to an end, and the threat of expensive settlements and corrective action plans with federal and state regulators is becoming an increasing reality," says Greene, who formerly was on the OCR staff.
But long delays in issuing final versions of HIPAA modifications, as mandated under the HITECH Act, as well as the final HIPAA breach notification rule are making it more difficult for organizations to make appropriate decisions about their privacy and security priorities and budgets.
"Without the final rules, you pretty much feel as though you're in limbo," says Kari Myrold, privacy officer at Hennepin County Medical Center in Minneapolis, who recently testified before Congress.
Because the rules have been delayed, healthcare organizations have "just missed another budget cycle" to make the case for more employees or more applications to help with compliance, Myrold says.
For now, the survey shows that only half of organizations have a detailed plan in place to comply with the interim final breach notification rule, which is now in effect. Plus, nearly a third rate their ability to comply with HIPAA and HITECH Act privacy and security provisions as poor, failing or in need of improvement.
An important component of any compliance effort is to ensure staff members are properly trained. About 43 percent of respondents grade the current effectiveness of their security training and awareness activities as poor, failing or in need of improvement. That's likely a big reason why training is the No. 2 priority for the year ahead.
"A lot of organizations did their initial HIPAA training as required, and that was pretty much the extent of the training they offered," says Terrell Herzig, information security officer at UAB Health System in Birmingham, Ala.
"An unengaged, poorly trained staff will undermine any compliance effort," adds Christopher Paidhrin, security compliance officer at PeaceHealth Southwest Medical Center in Vancouver, Wash.
Greene recommends that training "be focused on the organization's specific problem areas in addition to overall compliance. If there have been laptop thefts, for example, or improper disposal of hard copies or electronic media, make sure the training addresses those issues rather than just doing the same generic training from year to year."
Mobile Device Security
As clinicians ramp up their use of tablets, smart phones and other mobile devices, surveyed organizations say improving mobile device security is a top priority.
Despite all the headlines of breaches involving lost or stolen unencrypted devices, the survey shows that only 60 percent of organizations apply encryption to mobile devices. About 70 percent of those surveyed have a mobile device security policy in place.
In a new blog, Herzig offers advice on mobile device security. For example, he calls for forming a workgroup to build "use cases" to help establish a baseline for appropriate security controls (see: Mobile Device Security Tips for 2012).
Business Continuity Planning
Now that more patient records are being digitized, ensuring they're always readily available is growing in importance. Several major natural disasters this year called attention to the importance of disaster recovery planning.
"You never know what Mother Nature may throw at you and what size or magnitude of a natural disaster you may find yourself exposed to," Herzig says. "So it is very important that you review those disaster recovery plans and make sure that ... you are ready to deal with a community-wide disaster when it occurs.
The survey shows that only about 44 percent or organizations update their business continuity plan annually and about 43 percent test it annually.
As his organization prepares to update its business continuity and disaster recovery plans, Charles Christian, CIO at Good Samaritan Hospital in Vincennes, Ind., is seeking alternatives to storing encrypted backup tapes offsite.
But the delay in issuing the final HIPAA modifications rule is causing Christian to pause before considering a shift to storage in the cloud. That's because the modifications, as outlined in the proposed rule, would require business associates and their subcontractors - including cloud vendors with access to patient information - to comply with HIPAA. "One that regulation comes out ... I may look at cloud storage far more favorably," he says.
Preventing Internal Breaches
With about 380 major breaches now included on the HHS Office for Civil Rights' "wall of shame," breach prevention is now top-of-mind for many organizations.
The survey finds that the two biggest perceived security threats to organizations are mistakes by staff members - such as leaving a laptop in a car - followed by insider threats - such as records snooping and identity theft.
Clearly, educating staff about breach prevention plays a critical role. But organizations also need to take the initiative to detect breaches, Greene stresses.
He urges organizations to take both top-down and a bottom-up approaches to breach detection. "Top-down would be information security staff proactively auditing records to find potential breaches," he says. "The bottom-up approach is ensuring that all staff are trained to recognize what protected health information is ... and then understand when PHI may have been breached and to whom to report a breach."