Hospitals Must Ramp Up Breach Detection

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Hospitals and other healthcare organizations need to identify data security breaches "in a much more systematic way" to help ensure the privacy of personal information. That's the advice of Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society.

Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments.

A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate.

As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resources are applied to security," she adds.

In addition, she notes that HIMSS advocates widespread use of data encryption as a "best practice."

HOWARD ANDERSON: This is Howard Anderson, Managing Editor at Information Security Media Group. We are talking today with Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management System Society. Thanks for talking with us today Lisa.

LISA GALLAGHER: Thank you Howard. Happy to be here.

Click to Get Updates on the Latest Information Security News

Company* Title* Email* Subscription Type: HTML Text Healthcare Enews General Healthcare Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Government Enews General Government Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Banking Enews General Banking Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Credit Union Enews General Credit Union Enews Blogs Enews Careers Enews Training Enews Webinars Enews Podcasts Enews White Papers Enews Need Help?

ANDERSON: A recent HIMSS survey determined that only about half of hospitals have a full-time chief information security officer. Was that a surprising result, and do you believe most hospitals should have someone in that full-time position?

GALLAGHER: I do find that result somewhat surprising. I would have thought that the number would have been a little bit higher, and I do feel that organizations should have someone in that role.

ANDERSON: The survey also showed most hospitals spend less than 3 percent of their IT budget on data security. Do you think that level of spending will grow in the years ahead as more hospitals automate more clinical data?

GALLAGHER: To me, Howard, this is one of the most significant results from the survey. When I testified at the federal HIT Standards Committee meeting in November, I stated that this result was very concerning to me and it prompted me to portray the...results of this survey as a call to action to the industry. As we put more money into this sector for technology adoption, we should all collectively think about finding ways to ensure that adequate resources are applied to the security area.

So rather than just putting the onus directly on hospitals and even provider groups, what I wanted to say is the industry itself and those providing incentives need to take a broad look at how we can find ways to make sure that adequate resources get applied to security as we are adopting and implementing this technology.

ANDERSON: About 55 percent of those surveyed said that they conducted a risk analysis on an annual basis or every six months. Should all hospitals be conducting such an analysis annually or more frequently?

GALLAGHER: I believe that they should be conducting such an analysis at least annually. Remember that a security risk analysis is the basis of HIPAA compliance, so all organizations should be doing it. Also, a risk analysis is listed as the single requirement in the security area for achieving meaningful use of electronic health record technology (for the Medicare/Medicaid EHR incentive payment program) in the meaningful use notice of proposed rulemaking that just came out on December 30.

So the point here is that with the laws and regulations that are currently on the books and recently being promulgated, risk analysis is really the basis of the security activities that they are expecting organizations to undertake.

ANDERSON: Only half of the hospitals in this survey said their organization has a plan in place now for responding to threats or incidents of a security breach. Do you expect most are working on such a plan now given the new federal data security breach notification requirements?

GALLAGHER: We didn't find a lot in the works in the survey, but I think that, as you mentioned, the new federal data security breach notification requirement may bring attention to that issue. That having been said, I think that an incident response plan is a much broader type of plan or process for the organization. It covers all activities that are put in place to detect and respond to a breach. One component of that, of course, is notifying who is affected, and we know now that this is not only a regulation but this is also good business practice.