Jul 05 2010

Risky business

Category: hipaaDISC @ 11:02 pm
Information Security Wordle: NIST HIPAA Securi...
Image by purpleslog via Flickr

By Mary Mosquera

Last year’s HITECH Act toughened the rules and enforcement penalties health information handlers must follow to protect patient privacy.

Under the new policy regime, providers will have to pay more attention to the confidentiality and safety of patient information as they move more of their operations toward electronic health record-keeping.

Without sound security policies and practices, privacy “will be just a principle,” said Sue McAndrew, deputy director for privacy in the Office of Civil Rights, the Health and Human Services Department office that was given responsibility for health privacy and security policy under the new law.

OCR-draft-guidelines-for-security-risk-analysis

“We want it to be a reality for consumers,” she said at a recent privacy and security conference sponsored by OCR and the National Institute for Standards and Technology.

One of the most basic requirements is that providers must now perform a security assessment, a first step in understanding systems and electronic data over which they are temporary stewards.

OCR recently drafted guidance to help providers and payers figure out what is expected of them in doing a risk assessment. While it might sound onerous, a risk assessment might not be as difficult or costly as some providers might believe, even for small practices, privacy.

“When you say, ‘do a security risk assessment’, people’s eyes glaze over,” said Lisa Gallagher, security director of privacy and security for the Healthcare Information and Management Systems Society. “But really, it’s asking, ‘what are the risk areas?’, ‘how could someone get to it?’ and ‘what controls can you put in place to protect it.’”

In its guidance, OCR said organizations should identify and categorize their data collections, document threats to information that might lead to a disclosure of protected data and check to see if their current security measures are adequate.

“For a small organization, it sounds overwhelming and time-consuming, but in a lot of ways, it’s things that they already do,” said Pat Toth, a computer scientist in NIST’s computer security division.

“What small providers need to do is get an understanding of the framework and break down each step,” she said. “It is something that’s going to be living in their organization, so if they do their categorization and get that right, it will set the correct tone for the rest of the process.”

NIST has developed a quick-start guide, a “Cliff’s Notes” of its security publications detailing its risk management framework and risk assessment, in addition to frequently asked questions, to help providers, especially small practices.

For large organizations, risk management starts in the planning and architecture of systems across the enterprise and system life cycle, Toth said.

Besides a risk assessment, OCR is planning stricter reporting of disclosures of health information when electronic health records are used, even when the disclosure is for treatment and billing purposes. Providers will also have to give the reason for the disclosure. In May, OCR published a request for comments on its rulemaking.

The most effective method of accounting for disclosures is by using automated logging features in electronic health records and other computer systems, according to Mac McMillan, chief executive officer of Cynergistek Inc., an IT security consulting firm.

System logs are used to document and maintain a permanent record of all authorized and unauthorized access to and disclosure of confidential information so providers can recover evidence of that access.

“A lot of the difficulty to get accounting of disclosures in place is because of a lack of industry auditing capabilities,” he said at the OCR and NIST conference. “Most systems don’t have the functionality.” Moreover, IT security folks he works with have logging activated, “but they are still manually digesting them,” McMillan said, adding that manual audits are a time-consuming and imprecise process.

Even so, such practices must now be the order of the day under the new privacy and security framework. “The security rule says wherever you have electronic health information, you need to protect it,” said HIMSS’s Gallagher. “You may not even apply for meaningful use incentives. But if you’re keeping data in electronic form, you have to comply with the security rule.”

Related articles

hitech-act-increases-hipaa-security-requirements

healthcare-organizations-may-not-be-prepared-for-hitech-and-other-security-challenges

Tags: arra and hitech, Civil and political rights, Computer security, Consultants, Electronic health record, General and Freelance, hipaa security, hitech, National Institute of Standards and Technology, Risk management, Security


May 11 2010

OCR draft guidelines for security risk analysis

Category: hipaa,Security Risk AssessmentDISC @ 12:42 am

US Department of Health & Human Services
Image by veeliam via Flickr

The Health & Human Services Department published draft guidance to help healthcare providers and payers figure out what is expected of them in doing a risk analysis of their protected patient health information.

The security rule of the Health Insurance Portability and Accountability Act (HIPAA) requires that providers, payment plans and their business associates perform a risk assessment, but does not prescribe a method for doing so, according to draft guidance from HHS’ Office of Civil Rights (OCR). The HITECH Act directed that OCR oversee health information privacy.

Risk analysis is a technique used to identify and assess threats and vulnerabilities that may hamper the success of achieving bsuiness goals. In risk analysis determines if the security controls are appropriate compare to the risk presented by the impact of threats and vulnerabilities.

The guidance is not intended to provide a one-size-fits-all blueprint for compliance with the risk analysis requirement. Rather, it clarifies the expectations of the Department for organizations working to meet these requirements. An organization should determine the most appropriate way to achieve compliance, taking into account the characteristics of the organization and its environment.

Some of the content contained in this guidance is based on recommendations of the National Institute of Standards and Technology (NIST), OCR said

OCR guidance document explains several elements a risk analysis must incorporate, regardless of the method employed. So basically the auditor will be looking for all the elements required by the guidelines during an audit.

OCR dratf guigelines details

Information Security Risk Analysis, Tom Peltier

Tags: Business, Civil and political rights, Health care, health insurance, Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, Optical character recognition, Security