Bold Leadership on Risk AssessmentsGoing the Extra Mile to Boost Security, Share Insights
Intermountain Healthcare deserves praise for its gutsy leadership on information security. In addition to calling attention to the value of thorough risk assessments, it's acknowledging that it's got room to improve its own data security.
As Intermountain invests in multi-million dollar projects to address security issues, it plans to take the extraordinary step of crafting security best practices that others in healthcare can put to good use (see: Case Study: Intermountain Risk Analysis).
We didn't want to fall short on an OCR audit.
Many of the action items Intermountain recently identified following its aggressive risk assessment are similar to issues that other healthcare organizations end up addressing after they conduct an analysis, according to the recent Healthcare Information Security Today survey. Those issues include updating/revising policies, implementing new security technologies and revamping security training.
Unlike the third of healthcare organizations surveyed that haven't completed a risk assessment within the past year, Intermountain was conducting annual studies. But last fall, it decided to take an even closer look at its data security, trying to take the perspective of what an auditor from the Department of Health and Human Services would scrutinize.
The delivery system hired KPMG to do a very detailed security risk assessment. KPMG, you may recall, is the firm that HHS' Office for Civil Rights selected to conduct the first 115 inspections in its pilot HIPAA audit program last year (see: HIPAA Audits: The Next Round).
"We didn't want to fall short on an OCR audit," says Karl West, Intermountain's CISO. "Healthcare is not moving aggressively enough toward OCR's interpretation of the HIPAA regulations. We wanted to see all the risks that would be exposed in an OCR audit."
West argues that healthcare is behind other sectors when it comes to information security. "In general, there is a lot that the healthcare industry is not following that the Department of Defense, federal agencies and banking are doing. We're off the mark."
To help healthcare play catch-up, Intermountain plans to tap insights from government agencies, banking and other industries to develop security best practices in 12 areas ranging from business continuity to risk assessment and mitigation.
Intermountain is a large organization with 22 hospitals and more than 180 clinics. But keep in mind that it operates many small, rural facilities. So the delivery system's work to improve its overall security at small and large facilities alike - and it's resulting best practices - could prove very helpful to other organizations.
As more patient information is digitized and shared, and new cyberthreats emerge, protecting patient data is only going to get tougher. In the meantime, OCR promises to ramp up HIPAA enforcement and impose stiffer penalties for noncompliance.
So Intermountain's plan to share security best practices based on real-world experience is, indeed, good news.