Information about future of health care information technology
http://www.advanceweb.com About Us FAQ Contact Advertise RSS Feed Subscribe to this feed ADVANCE for Health Information Executives RSS Feed Or click on the RSS link below: http://health-care-it.advanceweb.com/Editorial/Content/rssfeed.rss Search articles… Search Login Sign Up ADVANCE for Health Information Executives Current Issue
Subscriptions are FREE to qualified Health Information Executives Log in to View Digital Subscribe Digital Edition Archive >
Magazine Multimedia
Current Print Contents Online Reprints
Call for Authors Home
Jobs Job Search
Products Product Search
Company Search Free Listing
White Paper Research Center Education
Calendar Search Educational Programs
ADVANCE Webinars Events
ADVANCE Events Community
HIT Insider: Blogs HIT Insider: Forums
Facebook HIT Community LinkedIn HIT Community
Twitter HIT Community Links
Multimedia Videos
Webcasts Healthcare Shop
Custom Promotions Features
The Future of Health Care Information Security ============================================== By Bryan Cline, PhD
Posted on: January 13, 2010 View Comments (2)Print ArticleEmail ArticleShareFacebook reddit Newsvine Del.icio.us Digg Yahoo! Buzz LinkedIn StumbleUpon Google Bookmarks Mixx Why do information security at all?
It's an interesting question.and one that's simple to answer. We "secure" or protect information that has value. Often-cited examples include national security information, battlefield intelligence and trade secrets. In the health care industry, patients and their families entrust us with their personal information along with their personal health and safety. A violation of this trust can have consequences ranging from personal embarrassment to medical identity theft. For more than a decade, however, we've had another reason to protect personal information -- regulatory compliance. In 1996, the U.S. Congress passed the Health Information Portability and Accountability Act (HIPAA). A portion of HIPAA -- the Privacy Rule -- requires the protection of specific personally identifiable health information, referred to as protected health information (PHI). This caused an initial flurry of activity in the industry and was a driving force behind the creation of executive-level compliance and privacy offices in many health care institutions. Unfortunately, it had little impact on how PHI was protected once it became digital.
Reactive response As a result, information security programs remained typically reactive. Institutions responded to specific "pain points" with tactical solutions and failed to consider an overall strategy for the security of sensitive information over its life cycle. Information security architectures were "ad hoc" at best and safeguards were limited to best practices, which often as not were "best" only in the eyes of the information technology (IT) or security staff.
Over the course of several years, the U.S. Congress considered the problem and eventually complemented the Privacy Rule with the HIPAA Security Rule from 2003. Although intended to help the health care industry secure electronic PHI (ePHI), the Security Rule unfortunately turned out to be the industry's equivalent of the 2001 Government Information Security Reform Act (GISRA). Despite guidance from the Centers for Medicaid and Medicare Services (CMS), the Security Rule was as vague as GISRA, required only "adequate technical, physical and administrative safeguards" and lacked a viable monitoring and enforcement mechanism. There was simply no industry-accepted definition of what constituted compliance with the Security Rule, and as a result information security programs varied widely among health care institutions. Although it took Congress only a year to replace GISRA with the Federal Information Security Management Act (FISMA) of 2002, it took more than six years to add "teeth" to the HIPAA Security Rule with the most recent addition to the regulatory compliance lineup -- the Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the 2009 American Recovery and Reinvestment Act (ARRA). Although HITECH doesn't replace HIPAA as FISMA did with GISRA, HITECH provides additional specificity to the Security Rule and, more importantly, broadens the scope of the rule, increases civil and criminal penalties, and extends enforcement to the state Attorneys General.
The result has been renewed interest on the part of health care institutions to mature their information security programs, increase focus on strategic planning and defined architectures, and become more proactive through the adoption of a comprehensive, controls-based approach to the management of information security and compliance risk. It seems a daunting task, but fortunately others have come before us. We can learn from our counterparts in the public sector or from other industries such as the financial sector. Or we can turn to consortia such as the Information Technology Governance Institute (ITGI), which shows how multiple frameworks and standards can be integrated for complete depth and breadth across the organization, from governance to service delivery. Security drivers
Conformance drivers, such as regulatory compliance requirements, can be managed by an institution with an enterprise governance framework such as that proposed by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) supported by IT governance standards such as the Information Systems Audit and Control Association's (ISACA's) Control Objectives for Information and related Technology (COBIT). Best-practice standards such as the National Institute of Standards and Technology (NIST) or International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) 27000-series frameworks provide the methodologies needed to manage security and compliance risk, and process maturity standards such as that provided by the IT Infrastructure Library (ITIL) or ISO/IEC 21827 provide frameworks for quality service delivery, including the delivery of security services. The adoption of an integrated information security and compliance risk management framework and supporting standards is no easy task. While unified compliance frameworks are commercially available, an organization must still select the specific frameworks and standards to integrate. Further, the controls specified may not be prescriptive nor have "audit guidelines" to support their assessment. In health care, one would need to prescribe practices that meet regulatory requirements specific to health care that are also consistent with the needs of the institution. Unfortunately, we've already seen little consensus in the industry as to what safeguards "adequately" address compliance.
This lack of consensus has led to inconsistency, inefficiency, increased cost and greater risk in the industry. We've seen an increase in the number of breaches; greater oversight and scrutiny as evidenced by numerous (and ambiguous) federal and state regulations; a rapidly changing business and technology environment; a general inability to implement security in devices and applications; and inconsistent expectations for security across the industry that all lead to ineffective and inefficient compliance management. The amount of effort required to select, integrate and maintain a comprehensive, prescriptive control-based security and compliance risk management framework that addresses both best-practice security and risk frameworks as well as regulatory requirements is staggering. Many health care institutions cannot afford -- in terms of both dollars and trained personnel resources -- to undertake such an effort.
Fortunately, a group of forward-thinking providers, payers and vendors in health care formed the Health Information Trust (HITRUST) Alliance several years ago to address this problem. Members of the HITRUST Executive Council include organizations such as United Health Group, Kaiser Permanente, Humana, BlueCross BlueShield of Tennessee, Express Scripts, IMS Health, McKesson, Highmark, Philips, CVS Caremark, Hospital Corporation of America and Cisco Systems. And many more organizations helped develop what is arguably the industry's only security and compliance risk management standard. Integrating COBIT, NIST Special Publication 800-53, ISO/IEC 27001/27002, ITIL, the Payment Card Industry (PCI) Digital Security Standard (DSS), Certification Commission for Healthcare Information Technology (CCHIT) guidance and the HIPAA Security Rule, HITRUST released the first iteration of its Common Security Framework (CSF) in early 2009. Tailored for health care by health care, the HITRUST CSF provides a comprehensive, integrated control set that, like PCI-DSS, is prescriptive and subsequently auditable and certifiable, which allows any institution to quickly assess the security environment of its business partners and associates who adopt the standard.
HITRUST actively maintains the CSF to accommodate the changing business, technology and regulatory environment. The 2010 release will include additional standards such as the federal Red Flag requirements, HITECH changes to HIPAA and CMS guidance. Much of this work is being accomplished with significant help from HITRUST participating organizations in various working groups and committees, which address everything from recommendations for alternative CSF controls to institutional requirements for achieving certification against the CSF. In addition to the CSF, HITRUST offers other "value-added" services. Examples include security configuration guidance for electronic health record systems from vendors such as McKesson and Epic, certification of security technologies such as firewalls and security information and event management systems against the CSF controls, trusted brokering of third-party security and compliance assurance against CSF controls, and community outreach to facilitate the adoption of good information security practices across the country.
Less than a year after its formal release, HITRUST is seeing adoption of the CSF across every segment of the industry in large and small organizations alike. In fact, several states are pursuing CSF adoption as the security and compliance risk management standard for all health care entities operating within their states. The HITRUST CSF has become the de facto standard for integrated security and compliance risk management in the health care industry. The security of ePHI is both a trust and an obligation. Our patients and their families trust us with their personal information and we are obligated to provide the necessary due care and due diligence to ensure its protection. We can assure ourselves of satisfying both through industry-wide acceptance of the HITRUST CSF and avoid the burden of additional regulatory compliance requirements. And then the industry can concentrate on what we do best -- providing some of the very best patient care in the world.
Dr. Cline is director of information security at Catholic Health East in Newtown Square, Pa.
A fairly recent survey from the Ponemon Institute indicates that most health care providers have one or more known deficiencies in their HIPAA Security programs, yet many of these institutions apparently report to the Joint Commission that they are compliant with the Rule. From what I've been able to determine from many of my peers in the health care community, Security Rule compliance is "in the eye of the beholder", i.e., there is no definitive standard by which we in the industry hold ourselves to account. Some are implementing NIST, ISO 27001/2, or HITRUST CSF-based programs, but many are still using custom programs based on nothing more than what they perceive as "best practice." A GRC tool like Compliance Meter(TM) is an essential component of any information security and compliance risk management program, but it can only measure compliance with whatever standard is used by the tool. Selecting and implementing such a standard is arguably one of the most essential components of standards-based risk management. This is what the HITRUST Alliance attempts to address with their Common Security Framework and other value-added services. Bryan Cline, Director, Information Security, CHE
March 24, 2010 Newtown Square, PA
The large covered entities will make use of this technology but it will be very difficult for the small business associate. We tackled this problem in acceditation by using cloud computing to deliver our content and consultants along with a task based process to enable small organizations to get accredited by Joint Commission. We have now applied that to HITECH compliance so that business associates can get compliant, stay compliant, and prove compliance with our Compliance Meter(tm). Jack Anderson, CEO, Compliance Helper
January 25, 2010 Healdsburg, CA
Email:
Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment. First
Last Name:
Title Field
Facility Work:
City State
Location: Comments:
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one. Captcha
Enter the security code below: Receive emails when a new comment is posted Remember me on this computer
Processing... Fields marked with an are required.
Jobs Job Fairs Education Blogged
CIO === Johns Hopkins ...
Baltimore, MD
CIO === Johns Hopkins ...
Baltimore, MD
Manager/Supervisor/Team Lead ============================ Hoag Hospital
Newport Beach, CA
Application Professional ======================== Beckman Coulter
New York, NY
Systems Analyst =============== Central Florida ...
Leesburg, FL
Systems Analyst =============== Beebe Medical Center
Lewes, DE
Systems Analyst =============== Valley Health ...
Las Vegas, NV Search Jobs
Zip Go
Arlington Convention Center ===========================
Arlington, TX 04/06/2010
Omni Orlando Resort at ChampionsGate ====================================
ChampionsGate, FL 04/06/2010
April 2010 Bethesda Healthcare System ... =========================================
Bethesda ... 04/13/2010
Boston Marriott Burlington ==========================
Burlington, MA 04/20/2010
April 2010 HCA North Texas Virtual ... ======================================
HCA North Texas ... 04/20/2010
Jacob K. Javits Convention Center =================================
New York, NY 04/27/2010
Sacramento Convention Center ============================
Sacramento, CA 05/04/2010
Ontario Convention Center =========================
Ontario, CA 05/18/2010
Spring Regional Virtual Job Fair - ... ======================================
Southeastern ... 05/19/2010
National Healthcare Cxo Summit Spring ... =========================================
Boca Raton, FL
American Health Information Management ... ========================================== National (Ongoing)
Manage Your Aura ================
By Edward Marx 03/22/2010 ...
Connected Health ================
By Edward Marx 04/01/2010 ...
ASTRO Comments on Health Care Reform ====================================
By Frank Irving 03/26/2010 ...
The Real Work Starts Now ========================
By Frank Irving 04/06/2010 ...
Massachusetts Data Security ... ===============================
By Andrew Serwin 03/12/2010 2:17:56 ...
Critics: EHRs Don't Save Money ==============================
By Bob Mitchell 03/17/2010 1:06:57 ...
PAWA Proposes Increased Criminal and ... ========================================
By Frank Irving 04/05/2010 ...
Obama to Nominate Berwick to Head Up ... ========================================
By Frank Irving 03/29/2010 4:23:16 ...
Health Insurance Reform: What Will ... ======================================
By Frank Irving 03/30/2010 ...
Getting Back on Track =====================
By Mark McGraw 03/31/2010 ...
Search Articles --------------- Search our archives for print and web articles.
Search… Go > Free e-Newsletter -----------------
Sign up to receive our FREE e-Newsletter. You'll receive exclusive information, special offers and career information just for ADVANCE for Health Information Executives. For a sample, check out our latest newsletter. NameEmailZip Go >
Publications ------------ Nurses Imaging & Radiation Oncology Physical Therapy and Rehab Medicine Occupational Therapy Practitioners Speech-Language Pathologists & Audiologists Audiologists Long-Term Care Management Respiratory Care & Sleep Medicine Administrators of the Laboratory Medical Laboratory Professionals Health Information Executives Health Information Professionals Nurse Practitioners Physician Assistants Healthy Aging
Services -------- ADVANCE Healthcare Shop ADVANCE Healthcare Shop Live ADVANCE Custom Promotions Healthcare Careers Job Fairs Online CE ADVANCE Custom Publishing Recruitment Solutions Center
Corporate ---------
| About Us | Contact Us Link to Us | Advertise Work for ADVANCE |
| Subscribe | Privacy Policy Terms | of Service |
| © 2009 Merion Publications | 2900 Horizon Drive, King of Prussia, PA |
| 19406 800-355-5627 Publishers | of ADVANCE Newsmagazines |
under why these again has did has can theirs themselves of
my under is does doing did health information magnesium he
were we be! above having more again he our
at to than itself it
and whom health information magnesium down should be own hers
Right on! by been future of health care information technology future of health care information technology yourself health information magnesium health information magnesium future of health care information technology myself future of health care information technology few see on here
having which from once all then those after whom that
to into yours down our future of health care information technology what who was
he at of all further them your or himself theirs its were future of health care information technology
out she there she or off own Like, or having
ourselves about been she such during it doing know future of health care information technology does
me my being are ours outta sight if such know so here theirs maybe hers
have off until future of health care information technology how in which on do further while while why theirs further while from or
where those her can for at are or visit - over by during doing whom look they nor
in over few between themselves here go there! Right on!