Privacy & Security: Never-ending Vigilance

Federal rules and regulations, especially the HITECH Act (ARRA) with its enhanced set of HIPAA regulations, have focused increased amount of attention on implementing security measures that can maintain the integrity of personal health information (PHI).But these regulations are not driving security strategies for progressive CIOs and CISOs. The rules are for the common good, but not the basis on which these leaders structure their data protection strategies say "Privacy and Security Issues" panelists at the Healthcare Informatics Executive Summit in San Francisco on May 12.Jennings Aske, J.D., is proactive about security. If you build your infrastructure to adhere to national security standards, it will not be a problem to meet state and federal privacy mandates, says the chief information security officer of Partners HealthCare in Boston.One aspect of maintaining the privacy of PHI is more difficult to control than security standards--and that is organizational culture. Most often, data breaches will occur because of staff members inappropriately accessing records.Data breaches are inevitable, says Jim Elert, CIO, Shared Services, Trinity Health, Novi, Mich. Delving into who has control, where, and why, will uncover more gaps and leaks than is imaginable.Snooping staff are not the only threat. Healthcare IT systems are notoriously weak in security. Whether that is the fault of the developer or that of purchasers lack of demand for stringent security measures is a moot point. There are many security shortcomings and huge development gaps, Elert notes.Sharing the physician informaticist viewpoint was Joseph Bormel, M.D., chief medical officer and vice president for clinical strategy, QuadraMed, Reston, Va., who emphasized the importance of helping physicians understand the value of security to them and to their clinical care. Aske says he presents security measures to physicians as important to maintaining the integrity of clinical data.