Hospitals Must Ramp Up Breach Detection

Credit EligibleAs a HealthcareInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

GALLAGHER: Originally when HIPAA was promulgated there was a lot of concern that encryption would be cost-prohibitive for some healthcare organizations, especially smaller ones. (So) they are allowed to include the cost as a factor in the risk analysis. My best guess is that there are perhaps some policies and procedural controls that could be put in place as well as perhaps physical controls that could be utilized, but the organization would have to clearly show that those controls that they put in place at their organization as implemented would...add up to equivalent alternative measures. So that really is a very organization-specific and implementation-specific determination that they would have to defend if questioned as far as their overall compliance.

ANDERSON: The certification criteria require EHRs to offer some sort of access control mechanism but do not specify a standard. What kinds of access control do you think vendors of certified EHRs are likely to offer?

GALLAGHER: Well as you mentioned, HHS took a look at this issue again and determined that for next year's certification criteria they would require the access control capability but did not choose to adopt a specific standard for them to meet for access control. They stated that this is because they believe that the industry will continue to innovate at a very rapid pace in this area and that by the time that they specified a standard, better methods might be available than they could possibly specify on an annual basis.

I believe they will re-evaluate this over time. But they are really leaving it to the market to innovate with regard to access control mechanisms. They do state elsewhere in the regulation that at a minimum they are expected to be able to assign a unique user name and/or number for identifying and tracking the user identity and also have controls in place that permit only authorized users to access electronic health information. So that is a generic description of access control...and then the vendors would innovate and provide capabilities beyond that in the marketplace.

ANDERSON: As you mentioned earlier, the federal government on December 30 also issued proposed meaningful use criteria describing how hospitals and physicians can qualify for incentive payments for using electronic health records. The proposal states that to qualify for the first stage of incentive payments, hospitals and physicians need to "conduct or review a security risk analysis of certified EHR technology." Can you explain just what that means?

GALLAGHER: I think we (HIMSS) will probably submit some questions on that exact wording, but this is how I would interpret it for now. An organization should conduct a security risk analysis of their implemented EHR--how it is implemented in their environment--or procure a security risk analysis from a third party, such as a consultant, and then review those results and act on the recommendations from the risk analysis results to determine what changes or additions they might want to make to their security controls in that environment to address any risks that are uncovered during that analysis.

So, conduct one yourself or procure one from a third party, review the results and act on the recommendations. That would form the basis of your security work for your implementation for the first year.

HOWARD: Finally, do you have any other advice for hospitals on data security priorities for the year ahead?

GALLAGHER: I have two pieces of advice. Make sure that your security function in your organization is properly resourced. Make sure they have the appropriate knowledge, the appropriate staff and the appropriate budget to meet the requirements that are not only included in the regulation but are really coming out of the security risk analysis that you should be doing.

And then, make sure that your security activities move beyond just compliance activities to really implement an active security risk management process. We can see a pattern in regulatory and statutory provisions now, but they are really asking organizations to base everything they do in security in an ongoing and active security risk management process. So take a look at what your resources are and make sure you are practicing security risk management.

HOWARD: Thanks very much Lisa. We have been talking today with Lisa Gallagher of HIMS. This is Howard Anderson of the Information Security Media Group.