Social Media Policies a 2011 PriorityLisa Gallagher of HIMSS Sizes Up Top Security Trends
HIMSS is preparing a whitepaper offering advice on how to craft a social media policy that helps ensure no sensitive patient information winds up on social networks, Gallagher says. The report will be available early in 2011.
In an interview (transcript below), Gallagher pinpoints other key healthcare privacy and security trends for the year ahead, including:
- Developing strategies for deploying mobile devices safely;
- Making widespread use of encryption and secure e-mail;
- Addressing emerging privacy and security issues related to participating in health information exchanges.
Gallagher also calls on hospitals, clinics and other healthcare organizations to:
- Increase their spending on information security.
- Set clear security policies and then educate staff members on how to carry them out.
- Conduct timely risk assessments and then implement appropriate security controls.
HIMSS has more than 30,000 members who work in healthcare IT and management systems. With more than 25 years of consulting experience in security engineering, hardware design and software development, Gallagher specializes in the practical application of security techniques and standards, as well as privacy and security policy.
ANDERSON: What would you say are the top five trends in healthcare information privacy and security for 2011?
GALLAGHER: In thinking about this, I broke it into two areas. The first is what do we get the most questions on, or what are some of the most challenging issues in the technical area of security? I identified three trends from our recent security survey as well as what we get questions about.
The first is mobile device security. So many organizations have employees that either have or want to use mobile devices in their job -- laptops, smart phones, etc. Organizations need to understand how they can deploy these safely both through policies and procedures as well as technical controls to help them keep the information safe.
Then that leads us to another area, which is data encryption. A lot of organizations ask us about the requirements in this area: Do we really need to encrypt the data that we store and transmit? Do we need to spend the money on technical encryption technology, etc? Then following that is e-mail encryption. There is a lot of discussion as to whether they should be encrypting all their e-mail. So those are some of the top areas that are more technical in nature.
Plus, there are a few emerging areas that we are talking a lot about. The first is privacy and security issues for the exchange environment. What happens when an organization participates in a health information exchange? What are their obligations and responsibilities with regard to data sharing? What about the recommendations on patient consent that were recently provided by the Privacy and Security Tiger Team advising regulators, and what does that mean to an organization that is about to start sharing information in an exchange environment? Those are things that we talk quite a bit about and our volunteer workers can get questions on.
Social Media PoliciesThen the final emerging area is social media in healthcare. This is becoming a high priority topic. Organizations may want to have a social media presence, so they wonder how do they implement that and how do they control it. How do they ensure that no sensitive information is published and nothing is done that would damage the reputation of their organization? At the same time, they also have employees who make decisions every day about their own participation in social media. So how does an organization manage that and make sure that no information that is sensitive gets out and no damage to the reputation of the organization is done?
Interestingly, we find that most healthcare organizations don't have a policy on social media. So at HIMSS, we have a volunteer work group that is working on a white paper on this topic to give organizations advice on how to assess their risk and what mitigation strategies for those risks might be applicable. This is an example how HIMSS, with our volunteers, responds to the needs of members on key issues or topics of interest in privacy and security.
ANDERSON: Do you have any idea when that white paper will become available?
GALLAGHER: ...That paper is already in draft and I'm guessing that it will be out in the next couple of months.
Security Spending, Risk AssessmentsANDERSON: So what advice would you give to healthcare CIOs and chief information security officers as they set their security spending priorities for next year and beyond? What investments and strategies are most important for protecting sensitive patient information, especially in light of the major breaches reported so far?
GALLAGHER: From the 2010 HIMSS Security Survey, (see: Survey: Risk Analysis Not Universal) we already know that the amount spent on security is relatively low. Approximately half of our respondents reported that their organizations spend 3 percent or less of their IT budget on security. We have seen some improvement year over year, and we hope to see that going forward. But, of course, resources are tight, and spending needs to be focused on key priority areas for the organization.
For security, I think we really need to focus in two primary areas. The first is supporting the employee in understanding their role in security. From the list of major breaches, we see that the majority resulted from the loss or theft of portable devices. So we know that it is important that we set clear, achievable policies in these areas, and we also educate and train the employees on the security practices that will help each of them and the organization itself meet security goals.
Now for the organization itself, I think the biggest bang for the buck activity is to conduct a security risk assessment. This is a fundamental security activity. It's the basis for HIPAA compliance, and we even recently saw it as the single security requirement listed for stage one of the HITECH Act EHR incentive program. ... Once an organization does a risk assessment and understands its risk areas, it can evaluate its current security controls, its policies and procedures, etc. Then performing periodic assessments, and making changes to controls where needed, is the best way for an organization to meet all of its security goals as well as its compliance requirements. So that is something definitely worth spending some resources on.