Security Pros Discuss Top ChallengesCreating Practical Privacy, Security Policies Can Be Difficult
Attendees at the privacy and security workshop Feb. 20 talked about a number of issues they're taking on, including:
- Composing a comprehensive, yet practical, set of privacy and security policies and procedures. Creating pragmatic policies "is a very tough topic for the team that I'm on," one attendee said.
- Determining how best to convey to patients the steps an organization is taking to protect the privacy and security of their electronic health records.
- Figuring out whether a specific security incident constitutes a health information breach that must be reported to federal authorities and those affected.
- Dealing with conflicting regulations in various states on obtaining patient consent to share their records.
- Handling complex privacy issues that emerge when an employee is also a patient.
- Creating a game plan for how to get ready for looming federal HIPAA compliance audits, which are mandated under the HITECH Act and may start later this year.
Other Security RisksOne workshop speaker, Terrell Herzig, UAB Health System's data security officer, pointed out some other issues that security professionals may be overlooking.
For example, he said they should make sure that outside firms hired to shred paper documents keep them secure every step of the way, and not leave them unattended while awaiting shredding. Plus, he encouraged workshop attendees to consider destroying unused storage media to help minimize risk. For example, UAB grinds up its unused hard drives using its own crushing equipment.
Also at the workshop, Lisa Gallagher, senior director of privacy and security at HIMSS, announced the association has developed an enhancement to its privacy and security tool kit with specific guidance for smaller organizations. The enhancements were developed in collaboration with the Medical Group Management Association.
One key challenge is figuring out whether a specific security incident constitutes a health information breach that must be reported.