Information governance addresses nationwide cybersecurity concerns

Kathy Downing, MA, RHIA AHIMA IGAdvisor, Information Governance Team, AHIMA

Approximately 174,792,250 people have been affected by 1,996 HITECH breaches through July 17, according to an analysis by Health Information Privacy/Security Alert. Many of these breaches were cybersecurity attacks. Cybercriminals have an effect on a larger population of individuals than any other type of breach, and they have a bull’s-eye on healthcare providers.

Interoperability between hospitals, providers, vendors, and insurance payers is key to the provision of high quality, efficient and effective patient care, however, this new connectivity has generated vulnerabilities and gaps between systems. The lack of standardization or guiding processes for system development as well as interoperability have led to unsecure solutions and increased potential for patient harm.

Healthcare organizations are facing new security challenges to stay ahead of the potential threats from hackers and as a result, these organizations are seeking best practices for system security. Maintaining the security and privacy of information requires a multidisciplinary approach. It can no longer be seen as an issue for the IT department to solve in isolation. Information governance (IG) is an infrastructure that organizations can implement as a way to increase their cybersecurity resilience. Information governance programs view information in a holistic way and apply policies, procedures, and repeatable processes to enable a stronger approach to securing information across the entire organization.

The American Health Information Management Association (AHIMA) defines IG as “an organization-wide framework for managing information throughout its lifecycle and for supporting the organization’s strategy, operations, regulatory, legal, risk, and environmental requirements.”

Information governance can support a number of key healthcare initiatives that benefit hospitals and patients with safe use of health IT, secure interoperability, accountable care, right patient—right information, quality care at lower cost, reliable performance measures, trust in exchange partners, appropriate and ethical use of information, reliable analytics—decision support, a learning health system, and population health.

Based on AHIMA’s definition of IG, AHIMA has developed the Information Governance Adoption Model (IGAM) as a guide for implementing strong and successful information governance programs. The enterprise-wide IG infrastructure can be used to manage and protect information throughout all phases of its lifecycle: creation, capture, use, reporting and disposition. The IGAM addresses all information in the healthcare ecosystem, which goes beyond just personal health information. There are 10 IGAM competencies, that when working in concert, can lead to more streamlined business and clinical processes, reduced risk and cost reduction.

One of the 10 IGAM competencies is “Privacy and Security.” The privacy and security competency addresses the necessary requirements for ensuring information protection, risk identification and mitigation, information sharing best practices, a mature privacy and security program, cybersecurity practices, and more. Proactively addressing these domains will not only avoid the costs associated with a breach or cyberattack, but also prevent the hindrance of patient care.

On June 2, 2017, the Health Care Industry Cybersecurity (HCIC) Task Force released a report on cybersecurity concerns. The report stated that cybersecurity is a public health issue and must be addressed immediately and aggressively.
The report listed six high level recommendations and action items, they are as follows:

1. Define and streamline leadership, governance, and expectations for healthcare industry cybersecurity.
2. Increase the security and resilience of medical devices and health IT.
3. Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capabilities.
4. Increase healthcare industry readiness through improved cybersecurity awareness and education.
5. Identify mechanisms to protect research and development efforts and intellectual property from attack or exposure.
6. Improve information sharing of industry threats, weaknesses, and mitigations.

It is critical that a nationwide approach to cybersecurity is identified and mandated. Based on the HCIC Task Force Cybersecurity Report, IG is part of the solution. These IG best practices will aid in safer patient care, safer patient information practices, reduced healthcare costs, reduced/avoided organizational costs, population health initiatives and interoperability. Information governance practices at every healthcare organization, including third party vendors and business associates, will streamline, standardize, and improve the healthcare industry as we know it today.

References

1. Health Care Industry Cybersecurity Task Force Report on Improving Cybersecurity in the Health Care Industry. June 2017. https://www.phe.gov/Preparedness/planning/CyberTF/Pages/default.aspx
2. https://www.phe.gov/preparedness/planning/CyberTF/Pages/default.aspx
3. www.IGIQ.com

Kristi Fahy is the Information Governance Analyst at AHIMA and AHIMA IGAdvisors. Kristi has focused her career in health information management on supporting initiatives in information governance (IG), clinical documentation improvement, coding, and data analytics.

Kathy Downing is a Director of Practice Excellence at the American Health Information Management Association in Chicago focused on Privacy, Security, and the Electronic Health Record. She is a graduate of The Ohio State University and has been involved in American Health Information Management Association activities since she received the National Outstanding Student Recognition award in 1995.