Building Security Awareness Among Docs

The key is explaining business risks
Building Security Awareness Among Docs
The best way to persuade physicians to take information security seriously is to explain the business risks involved, says Robert Tennant, senior policy analyst with the Medical Group Management Association, the trade group for physician group practice administrators.

"If they have a breach, they could go out of business if they don't do things the right way," Tennant stresses.

But physician groups, unfortunately, have a lack of awareness about information security issues and HITECH Act compliance and a lack of funding for security programs, he adds.

"It's tough to convince smaller practices they have to take security seriously," Tennant says.

Risk assessment essential

The MGMA executive tells practices it's essential that they conduct a risk assessment, invest in technologies to address identified risks, develop a breach notification plan and train staff on security issues. Otherwise, he says, they run the risk of having their reputations ruined.

He also stresses the value of using encryption, especially for mobile devices. "Encrypting is cheaper than addressing a security breach," he notes.

To help educate physician groups, Tennant would like to see the Department of Health and Human Services give practices the opportunity to volunteer for security audits without sanctions. He says the Occupational Safety and Health Administration offers similar voluntary compliance audits. In a voluntary audit, "the government could look over the practice's security policies and procedure and give a report on how the practice can improve," he says.

Tennant also called on federal regulators to set standards for certifying Health Information Exchanges to help ensure they all use the same protocols and policies. This would ease the sharing of information while protecting security, he contends.

Tennant spoke in a panel May 12 at the conference: "Safeguarding Health Information: Building Assurance through HIPAA Security," sponsored by the HHS Office for Civil Rights and the National Institute of Standards and Technology.

Education needed

Another panelist, Dan Rode, vice president for policy and government relations at the American Health Information Management Association, says clinical software vendors need to do a better job of educating their clients about security issues.

"And too many vendors are not adding security functions because of perceived lack of demand," he contends.

Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, says many business associates, such as banks and billing services, are unaware that under the HITECH Act, they now must comply with the HIPAA privacy and security rules. "We need to reach out to them and pull them into the tent," she says.

Gallagher also called on federal regulators to offer far more detailed HITECH guidance to healthcare organizations on such topics as security risk assessments, accounting for who has viewed electronic health records, breach detection and response, and securing wireless devices, among others.

About the Author

Howard Anderson

Howard Anderson

News Editor, ISMG

Anderson is news editor of Information Security Media Group and was founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.