● Think Tank
Steve Matheson, North American Vice President of Sales, BridgeHead Software
Healthcare organizations are very poorly prepared. T e healthcare ecosystem can be seen as a series of concentric circles. In the fi rst and smallest circle, data is created and viewed in hospitals, and in this local use of data the hospitals are doing a pretty good job. Around that is a slightly larger circle that includes hospital clinical and business staff with their mobile devices. Both at rest and in transit, this data should always be encrypted to make it more secure. T e next circle encompasses physicians in their own offi ces where they deal with a mix of paper and electronic data. T e fi nal circle includes patients at remote sites, such as kids at a college clinic or individuals at the pharmacy for their fl u shots. As a rule, the further out the data gets, the less secure it is. As the hospital ecosystem grows, there are more ways to create di- agnostic information on patients. Every time data is created, interested parties increase. Likewise, as data becomes more mobile, that data and its viewer must go to the people. So people all over are repetitively viewing data. Another part of the challenge is that the professional environment has turned into a quasi-public one: Many hospitals have adopted a BYOD policy so employees can see the information they need to do their jobs. Even if it’s permission-based, this system is imperfect because employees are still using their devices for personal purposes and intermingling the apps. Hospitals are struggling in this highly complex and dynamic envi-
ronment to implement technologies that can keep up. In many cases, these technologies are forcing hospitals to leapfrog their current capa- bilities by a few generations. Often, they can barely aff ord the storage required to keep up with just housing all of the data that is going online. T ey almost always struggle and fall short in terms of purchase of the advanced data management technologies required, and recruiting and hiring the people with the experience and skill sets needed.
HMT: How do you fi x the challenges you face as quickly as possible?
Mac McMillan, CEO, CynergisTek, and Chair, HIMSS Privacy & Security Policy Task Force All of these are basic requirements of HIPAA and an information
security program. So the fi rst thing you do to address these issues is rethink your approach to information security and the priority it is being given. To eff ectively manage security and meet compliance requires people, technology and processes. Just having policies isn’t going to cut it. It takes a combination of technical controls, realistic processes and workforce awareness and diligence to create a security environment. Identifying the right technical controls, measuring the eff ectiveness of processes and workforce competence is accomplished through proper risk analysis. After that it requires leadership evolvement to resource the
program and a champion to manage it. So how do you fi x these challenges right away? Conduct or have an external third party conduct a thorough risk analysis. Appoint a competent informa- tion security manager. Prioritize resources to support the program (people/technology/funding). T en provide appropriate governance to make sure it’s getting done. In short:
• Conduct a safe harbor analysis and identify gaps in data protection. Apply encryption where those gaps cannot be eliminated.
• Invest in a privacy monitoring solution and audit planning that enable automated auditing and monitoring of workforce activity in critical clinical applications proactively.
10 February 2014
• Use a credible third party to conduct a thorough risk analysis with an objective lens.
• Accept that you cannot track ePHI manually and invest in a data loss prevention solution to assist in locating, mapping and managing ePHI in real time.
• Recognize that information security is no less complex than the systems environment it lives in today, and the person managing it has to be just as qualifi ed as those managing that environment.
Barry Chaiken, M.D., Chief Medical Information
Offi cer, Infor First, identify the problems. T en, solidify your PHI sharing
strategy. Once you have done that, you must develop guidelines and implement technologies that allow you to meet your goals. Just don’t jump in and address this piecemeal. It will not work.
Rich Temple, National Practice Director,
Beacon Partners Invest the time, money, and resources to do an end-to-end secu- rity and risk assessment, and don’t just look at it from a technology perspective. Look at people, processes, documentation and workfl ow, as well. Ensure there is an intuitive understanding of the HIPAA mandates and what the penalties are – to both individuals and to the whole organization – for non-compliance. Build detailed policies and governance structures that ensure those policies are adhered to.
Roberta Katz, Director, Healthcare Solutions,
EMC Corp. T e world of data security has changed dramatically, rendering many traditional techniques ineff ective and posing tough challenges for healthcare providers to prevent exposure of PHI. Simply building fi rewalls around the perimeter of the enterprise network is no defense against stealthy new forms of attacks. Persistent identity thieves can almost always enter and often move through systems gathering information for weeks before detection. Once discovered, the next challenge is responding fast enough to avoid loss of PHI. We encourage healthcare organizations to take a holistic view of security management by adopting an integrated approach to gov- ernance, risk and compliance (GRC). To align appropriate security activities for maximum protection across the enterprise, we suggest integrating a security management framework into your IT infra- structure comprising: • Business governance: embedding security into all organiza- tional structures and processes while taking into account regula- tory requirements (HIPAA, HITECH) and internal policies;
• Security risk management: identifying and classifying informa- tion risks and tracking risk mitigation;
• Operations management: implementing security processes and controls in line with security policy to prevent risks from developing into security incidents;
• Incident management: detecting, analyzing, resolving and reporting security incidents to minimize their impact.
Steve Matheson, North American Vice President of
Sales, BridgeHead Software You don’t. It’s not a money, skill or technology issue. It’s all three,
plus more. T is is a transformational process and challenge that will take years for most healthcare systems to accomplish. Some won’t make it through and will collapse under the weight of everything that is being required. Others will fi nd ways to modernize and will emerge with stronger methods – and will be the long-term surviving healthcare systems.
HMT HEALTH MANAGEMENT TECHNOLOGY www.healthmgttech.com
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32