Good time for security advice

A conference this week offered lots of advice and warnings about data security so they can be ready for both HIPAA audits and cyberattackers. Based on the number of data breaches we have been reporting, it's none too soon.

During the meeting held by the National Institute of Standards and Technology and the Dept. of Health and Human Services’ Office of Civil Rights, the new OCR director Jocelyn Samuels offered important advice. Major breaches most often occur within organizations that lack comprehensive risk analyses, she said.

Meanwhile, Iliana L. Peters, JD, OCR’s senior advisor for HIPAA compliance and enforcement, said the agency also is working to better guide the industry through documents such as a breach safe harbor update; accounting of disclosures; methods for sharing penalty amounts; and the National Instant Criminal Background Check System final rule. The agency additionally is working on more guidance governing business associates; a breach risk assessment tool and more general factsheets on HIPAA provisions. Peters said the breach risk assessment tool will include information on what constitutes compromised data.

“We want you to look at the risks of data itself rather than just focusing on harm to the individual,” she said. This includes understanding what data were lost; types of identifiers contained in the data; likelihood that it would be identifiable; whether the protected health information (PHI) was actually acquired or viewed; and the extent to which the risk to the protected health information has been mitigated, she said.

“All of these things we’d be looking for in regard to your risk assessment,” she said.

Another interesting session was the keynote address delivered by Daniel Solove, the John Marshall Harlan research professor of law at the George Washington University Law School. Citing some alarming statistics, he talked about how to wake up the C-suite to the importance of good security.

C-suite buy-in plays a big role in compliance and ratcheting up the importance of a program. That’s necessary today because “we’re in the midst of a crisis in data privacy and security. Billions of passwords have been stolen. Chinese hackers stole the medical records for 4.5 million patients. The number of breaches keeps rising. It seems to be an epidemic. It keeps happening again and again. We’re seeing the same problems over and over again.”

Solove cited a Ponemon Institute study that found that data breaches cost healthcare institutions $5.6 billion and that 90 percent had at least one breach within the past two years. “Those are staggering numbers.”

After reading through numerous data breach incident reports, Solove said he found that two things matter the most when it comes to effective compliance: 1. The C-suite must truly understand the risks, the law and the importance of compliance; 2. The workforce must know how to protect protect health information. “That’s a big challenge because it involves human behavior but it’s related to buy-in at the top.”

A lot of work needs to be done in both of these areas because most incidents are preventable, he added.

Is your organization doing that work?

Beth Walsh

Clinical Innovation + Technology editor