HIE Security Requires LayersIt's the Only Solution to Keep You Out of the Cold
Yes, hats, gloves, coats and boots are designed to keep individual parts of you warm. However, if you only wear one of them and venture out into a cold snowy New England day - you are going to be very cold (trust me - I know).
This same analogy can be applied to what security strategy should be considered when creating health information exchanges (HIEs). Just because you implemented security in one area does not mean you are "secure" - you really need to view security across the layers.
Just because you implemented security in one area does not mean you are "secure" - you really need to view security across the layers.
The emergence of HIEs is widely expected to provide a range of important benefits for patients, physicians and the healthcare industry as a whole. But before you embark on creating or participating in an HIE, you must consider the best ways to ensure the privacy and security of the information being collected, used or disclosed. Here are some critical considerations worth thinking about:
How do I create a consolidated governance program that ensures privacy and security provisions across a number of regulations? By creating a consolidated governance program, you can gain institution-wide visibility into how sensitive information is collected, where it is stored, who is accessing it and how it is being used.
How do I centrally manage and control access privileges to protected health information for authorized users? Given the large number of users, applications and data records, healthcare organizations need a consistent framework for managing access control policies across multiple applications, ensuring that user privileges are up to date, that access rights are granted in accordance with institutional policies, and access privileges are granted only to those who need them. For example, an employee in the medical billing department does not require access to the same records a doctor or nurse would need to provide care to a patient.
How do I verify that an individual who has been authorized and is requesting access to my HIE is who he or she claims to be? Organizations must validate a user's identity from the time access credentials are issued through the lifespan of a valid user's privileges. Especially for new users, conducting identity verification will provide you with assurance that the user is who they claim to be - from the start.
How do I provide for continuous monitoring of the HIE environment to manage my risk and ensure compliance? There can be millions of data-related activities and events occurring across multiple systems and applications every day. Having insight into those activities by retaining access logs, deploying automated tools to monitor system events and implementing controls that can send alerts at the first sign of a policy violation (i.e., unauthorized access to a system) are essential to ensuring compliance.
How do I control sensitive data and what policies do I have in place to prevent patients' privacy from being compromised? It is critical to ensuring privacy within an HIE to determine which data is most sensitive or at highest risk to be targeted and then define appropriate polices around that data.
Securing access to HIEs is critical to assuring patient privacy, the quality of healthcare services and continuity of care. By applying these considerations and appropriate security technologies, healthcare organizations can effectively manage the risks to their sensitive information while realizing the numerous benefits of health information exchanges.
Remember: Just as wearing one layer of clothing will not keep you warm, adding just one layer of security does not ensure patient privacy. Security is like dressing for a cold winter day; it must be applied in layers to be effective.
Angel Grant is a Principal Manager in RSA, The Security Division of EMC's Identity Protection and Verification group. She has more than 15 years of experience in the security and financial services industries and is responsible for a variety of initiatives which protect organizations against fraud and identity theft.
Prior to joining RSA, she was an Online Banking Senior Product Manager at P&H Solutions where she helped launch one of the industry's first online corporate cash management applications. Previously, she managed a mortgage division inside sales and service team for a large financial institution. Mrs. Grant holds a B.S. from Bentley University and studied at Oxford University.