Sam Curry, Chief Technology Offi cer, Identity and Data Protection, RSA, The
Security Division, EMC Corp. Since the HIPAA Omnibus Rule took eff ect March 26, 2013, it serves as a glaring reminder that organiza- tions continue to let their security strategy be guided by regulations and compliance. T ere is no doubt that there is still work left in trying to shift from a narrow focus on compliance with regulatory requirements to a broader goal of building trust across identities, information and infrastructure. T is means not just going back to simple foundational security principles, including authentication and role-based access controls, but also tackling the challenge of new technology trends such as mobility, bring your own device (BYOD) and cloud computing.
h Steve Matheson, North American Vice
President of Sales, BridgeHead Software T e premise of HIPAA is that personal health information must be secure and private. It remains the only premise the market has. So while the premise is good, the delivery, specifi city and probability of keeping
that data secure has not been thought through enough to provide a clear roadmap. Also, the technology is imperfect. T e good news is that HIPAA is open-ended so hospitals can go in whatever direction makes the most sense for them in terms of defi ning how to achieve HIPAA compliance. T e bad news is that HIPAA is so open-ended and undefi ned in terms of specifi c advice that it is hard to know which direction to go. Today, medical information touches not just doctors and nurses in the hospital, but billing companies and other third-party vendors, too. Many of these organizations are out of the hospital’s control. Collection companies need to have an agreement to assume liability. So while HIPAA is good, the complexity of the healthcare ecosystem makes it hard for hospitals to be compliant. To make HIPAA work, healthcare needs all three legs: HIPAA, HITECH and Business Associate Agreements.
How prepared are healthcare organizations to handle the increased demands and information growth of the Patient Protection and Affordable Care Act in terms of data privacy and security?
Mac McMillan, CEO, CynergisTek, Chair, HIMSS Privacy & Security Policy Task Force
I think we as an industry are better prepared to meet these challenges than we were, and while I am optimistic that we will get there, I have some real concerns in this area. I worry about the smallest organizations in our community that are falling farther and farther behind due in large part to a lack of aff ordable resources to meet their data protection responsibilities. Last year’s audits by OCR shined a bright light on the disparity between large and small organizations and their readiness to meet privacy and security. As we become an even more connected industry, these small providers are going to represent a real risk for those that they are connected to. Secondly, I see the whole information exchange and larger community-wide objectives being at risk when it comes to data
protection unless we embrace the need for standards to support trusted interoperability. I feel confi dent in connecting and sharing with you when I have assurances that how you manage your enter- prise is consistent from a trust perspective to how I manage mine. T e way we achieve that trust environment is through standards. Lastly, I think the government, and by that I mean HHS pre- dominantly, needs to step up its game. T ey cannot continue to be the example of how not to do it when they are supposed to be the leader in how to do it. T ere is a reason most people have a low confi dence quotient with government management of their information. T ings like continued breaches by the VA, incidents like Tricare and the whole mismanaged Healthcare.gov
project just undermine their credibility and ability to lead.
Barry Chaiken, M.D., Chief Medical Information
Offi cer, Infor Organizations just have too many moving parts: EMR imple- mentations, changes in reimbursement and consolidation of provider organizations, to name a few. Most organizations are not prepared to handle all of this at the same time. Plus, the guidelines are blurred as to sharing PHI to facilitate patient care, while also protecting PHI. New technologies put even more pressure on these organizations. T erefore, can any organization be properly prepared?
Rich Temple, National Practice Director, Beacon Partners Healthcare providers have quite a ways to go in order to con-
fi dently feel comfortable about security and privacy around many facets of the [Patient Protection and Aff ordable Care Act]. While there are positive signs as far as the recognition of the importance of security, the advent of big data, cloud storage and health information exchange across disparate providers, all are challenging providers in ways that they are not fully used to yet. T ese new data models all require collaboration across providers and across applications, which can make the imperative to eff ectively secure this data exponentially more challenging.
Roberta Katz, Director, Healthcare Solutions,
EMC Corp. Healthcare providers face the unique challenge of keeping PHI highly available, secure and private as they increase the use of IT to improve patient care delivery. Security breaches – whether the data is kept on physical IT assets or in a private cloud – can create a lack of confi dence in a healthcare system and have signifi cant regulatory implications. Although many healthcare organizations plan to conduct a HIPAA Security Risk Assessment, which is a core requirement of Stage 2 EHR meaningful-use incentive programs, there is more work to be done. In a recent IT Trust Curve Global Study that EMC conducted,
we found that: • Sixty-one percent of global healthcare organizations surveyed have experienced a security-related incident in the form of a security breach, data loss or unplanned downtime at least once in the past 12 months.
• Nearly one in fi ve (19 percent) global healthcare organizations have experienced a security breach in the last 12 months at an average fi nancial loss of $810,189.
• Nearly one in three (28 percent) global healthcare organiza- tions have experienced data loss in the past 12 months at an average fi nancial loss of $807,571.
• Almost two out of fi ve (40 percent) global healthcare orga- nizations have experienced an unplanned outage in the past 12 months, losing 57 hours to unplanned downtime at a fi nancial cost of $432,000.
HEALTH MANAGEMENT TECHNOLOGY February 2014 9
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32