Spotlight on information security

This week was HIMSS’ Privacy and Security Forum and Clinical Innovation + Technology was there. We learned a little about the Office of Civil Rights’ plans for HIPAA audits, Boston Children’s Hospital’s experience with a cyberattack by Anonymous, the details of Aetna’s risk-based approach to information security, the alarming increase in healthcare-targeted cyberattacks and much more.

OCR Senior Advisor of Health Information Privacy Linda Sanches declined to elaborate on a timeline for audits, noting that the agency still is entrenched in a technology upgrade that has thrown plans off schedule.

However, she revealed that OCR soon will conduct online pre-audit survey screenings to help better facilitate reviews, so healthcare organization or entity data are available to auditors via a portal.

Organizations chosen for audits are generated through a randomized process that ensures proper geographic distribution and a range of organization sizes, she said.

Audits should not be seen as a “punishment,” Sanches said, saying that the best bet is for organizations to ensure they are in compliance by establishing policies and procedures, as well as examples of how the policies have played out in practice.

Breaches increasingly are on OCR’s radar. “It’s shocking how many come in. There are thousands and thousands of breaches,” she said. While “there always will be hacks,” she said OCR investigates whether organizations have policies and procedures, including regular risk analyses, in place to prevent them. “The onus is on you to prove you had systems in place to protect against it.”

Is your organization ready?

Beth Walsh

Clinical Innovation + Technology editor