7 Secrets of HIT Security
Jared Rhoads1. The accounting of disclosures’ new two-rights model to allow patients a choice of an accounting of disclosures or a much easier to produce access report is a mixed bag, according to Rhoads. In making things easier for organizations, it has actually made it harder for IT departments. “When the government gives multiple options, when they give an ‘and/or option,’ it actually turns out to be an ‘and option’ for IT vendors and provider organizations because now they have to do both,” he says. Rhoads thinks that the rules for disclosure accounting are too burdensome, and since there were lots of public comments Rhoads suspects some elements of this rule might be rolled back later this year.2. As it stands today, after an assessment, an entity may determine that encryption is not reasonable and appropriate in addressing a particular risk, but if it does, then it must document that and implement equivalent alternative safeguards. However, Rhoads says there isn’t a whole lot that would be justifiable to not require encryption, so organizations should start investing in this now. To begin prioritizing, assess your organization’s resources. Many organizations might not be able to encrypt every server, so start with the ones that have the highest traffic, or the ones that are furthest on the organization’s periphery, or the ones with the highest risk. “Most of the things like encryption are things that you ought to be doing because it’s the right thing, it’s good for your patients,” says Rhoads. “It may sound daunting but it’s within reach.”3. Start planning your organization’s approach to two-factor authentication, Rhoads says. It most likely won’t be required in final Stage 2 measures, but will likely be a consideration a couple of years from now.4. Organizations are responsible for the security of their business associates and even the subcontractors of those business associates. To ensure compliance beyond putting that specific language in your vendor contracts, set up a regular review of their practices and be an active participant in how they carry out their business, Rhoads says.5. As the CSC report states, end users are still unfortunately the greatest source of security breakdowns. To help avoid this, make sure training materials are relevant to each user’s roles. Have different role-specific coaching for technicians, nurses, physicians, etc., which allows the user to hone their judgment based on specific use cases relevant to their job.6. When performing a risk assessment, start with most valuable data and move forward. Later this year, the Office for Civil Rights will begin its much-anticipated HIPAA compliance audit program. Up to 20 test audits will soon be conducted, with a final audit program to be launched either late this year or in early 2012. “Stay ahead of the curve is a good way to deliver on what your patients expect and to give yourself a little breathing room so you’re not always on the edge of what’s compliant,” says Rhoads.7. To maintain security on a day-to-day level, while keeping up with new requirements and threats, an organization should invest in human resources like a chief security and/or privacy officer. “You can’t just buy a technology vendor and expect to be secure,” says Rhoads. “It’s enterprise-wide where you need the processes in place and constant refreshing of the training materials and reminders to people.