TRENDING:

Are Hospital Boards Clueless?

Consultant sees lack of compliance awareness Howard Anderson (ismg_editor) • March 3, 2010     Hospital boards of directors are just beginning to realize the size and scope of the information security regulatory compliance tasks their organizations must complete, one consultant contends.

When consultants describe to board members the beefed-up HIPAA privacy and security rules under the HITECH Act, including new breach notification requirements, "you can see their eyes go wide," says Mitch Morris, M.D., who heads the health IT practice at Deloitte Consulting LLP, New York.

Best-of-breed woes
Because so many hospitals took a "best-of-breed" approach to acquiring applications, picking and choosing niche software from multiple vendors, their HITECH security compliance efforts are now more complex, Morris contends.

So hospital executives and board members alike are just beginning to realize they must assure security for what can amount to hundreds of applications that contain "protected" healthcare information as defined in the HITECH Act, he says.

"Some CIOs are not even aware of the total number of applications at the hospital that contain protected health information," Morris says.

To comply with HITECH, hospitals must take steps to ensure the security of applications ranging from dietary systems to financial systems, in addition to core clinical systems, Morris stresses. "And nobody has done all that yet."

Morris says his firm is "finding a lack of awareness of the depth of the challenge" in handling breach prevention and detection as well as broader risk management.

He called on hospitals to consider "simplifying their application environments" by standardizing on systems from fewer vendors and integrating them well. He argues that HITECH alone may be a catalyst for a movement away from the best-of-breed approach.

Encryption
Morris also lamented the relatively rare use of encryption at healthcare organizations. "Most hospitals have not yet encrypted data on laptops," he asserted, in spite of highly publicized breaches involving the theft of portable devices.

A major problem in implementing encryption, the consultant says, is that many CIOs have no control over the procurement of laptops and other devices. As a result, employees may acquire computers from multiple sources and not install standard applications or encryption, he contends.

The IT department should take a lead role in the purchase of all computers and set enforceable standards for applications and encryption, Morris argues.

Morris made his comments March 2 in an interview at the HIMSS Conference in Atlanta.

Previous
White House Partly Lifts CNCI Secrecy
Next
EHR Certification Program Outlined

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.



Around the Network

Aité-Novarica's Cybersecurity Impact Award
Aité-Novarica's Cybersecurity Impact Award
Organization-Wide Passwordless Orchestration
Organization-Wide Passwordless Orchestration
Are We Doomed? Not If We Focus on Cyber Resilience
Are We Doomed? Not If We Focus on Cyber Resilience
The Persisting Risks Posed by Legacy Medical Devices
The Persisting Risks Posed by Legacy Medical Devices
Craig Box of ARMO on Kubernetes and Complexity
Craig Box of ARMO on Kubernetes and Complexity
Whistleblowing Brings Visibility to the Role of CISOs
Whistleblowing Brings Visibility to the Role of CISOs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
How 2U Inc. Is Fortifying Its Systems and Solutions Designs
Protecting the Hidden Layer in Neural Networks
Protecting the Hidden Layer in Neural Networks
David Derigiotis on the Complex World of Cyber Insurance
David Derigiotis on the Complex World of Cyber Insurance
Showing Evidence of 'Recognized Security Practices'
Showing Evidence of 'Recognized Security Practices'

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.