Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/15/2012
10:12 AM
50%
50%

ONC To Medical Practices: Get A Security Officer

An Office of the National Coordinator for Health Information Technology guide calls for medical offices to select a privacy and security officer.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
As part of a 10-step plan to protect patient data, the Office of the National Coordinator for Health Information Technology (ONC) recommends that medical practices establish a privacy and security officer who will be responsible for developing and maintaining policies and procedures that safeguard patient data.

The ONC's Guide to Privacy and Security of Health Information also recommends that medical practices record all of their practice decisions, findings, and actions related to safeguarding patient information. Additionally, these organizations should conduct a security risk analysis that compares what is legally and pragmatically required to safeguard patient information with what their current security system is capable of delivering.

The guide posits that the privacy and security of patients' health information is critical to the success of a medical practice. It states, "In your medical practice, patients are unlikely to share sensitive information unless they trust that you will honor their confidentiality. As you know, patients who trust their health information will be kept private and secure will be more willing to discuss their symptoms, conditions, and past and present risk behaviors."

The document adds, "Trust is clinically important and a key business asset. How your practice handles patient information is an important aspect of this trust."

[ Practice management software keeps the medical office running smoothly. For a closer look at KLAS' top-ranked systems, see 10 Top Medical Practice Management Software Systems. ]

The guide is being released against the background of several highly publicized patient data breaches that have compromised the privacy and security of personal health information belonging to millions of individuals.

Prepared by ONC's Office of the Chief Privacy Officer (OCPO) in collaboration with the American Health Information Management Association (AHIMA) Foundation, the guide outlines what healthcare providers must do as they integrate privacy and security into their clinical practice, including sections that address privacy and security and Meaningful Use. It also gives security risk analysis and management tips and suggests ways to work with electronic health records (EHR) and health IT vendors. The document also points health providers to health IT privacy and security resources.

In an interview with InformationWeek Healthcare, Daniel Berger, president and CEO of Redspin Inc., a company that provides IT risk assessments for medical providers, noted that the document's emphasis on physician offices and medical group practices that are adopting EHRs suggests that ONC recognizes that these practices' employees have little or no IT security training.

According to Berger, these medical practices are especially vulnerable to security breaches as they computerize more patient data. Furthermore, as the healthcare industry tries to meet security and privacy requirements under Meaningful Use Stage 2, which calls for greater electronic exchange of data between healthcare provider organizations, the risk for data breaches will rise.

"While the focus is on meeting Meaningful Use requirements, which is the path to receiving EHR incentive reimbursements, it is important that everyone keep their eye on the real objective at hand, which is to safeguard protected health information from data breaches," Berger said.

Other items in the 10-step plan recommended for medical practices to ensure the privacy and security of patient data:

-- Develop an action plan using the risk analysis results.

-- Manage and mitigate risks. Begin implementing your action plan and develop written and up-to-date policies and procedures about how your practice protects electronic protected health information (e-PHI).

-- Educate and train your employees. To safeguard patient information, your workforce must be trained on how to implement your policies, procedures, and security audits.

-- Communicate with patients. Emphasize the benefits of EHRs, perhaps using consumer education materials developed by other sources. Reassure patients that you have a system to proactively protect their health information privacy.

-- Update business associate agreements. Make sure your business associate agreements require compliance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and the Health Information Technology for Economic and Clinical Health Act (HITECH) Breach Notification requirements.

-- Attest for the security risk analysis Meaningful Use Objective. Apply for an EHR incentive program only after you have fulfilled the security risk analysis requirement and documented your efforts.

The 2012 InformationWeek Healthcare IT Priorities Survey finds that grabbing federal incentive dollars and meeting pay-for-performance mandates are the top issues facing IT execs. Find out more in the new, all-digital Time To Deliver issue of InformationWeek Healthcare. (Free registration required.)

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
justaskjul
50%
50%
justaskjul,
User Rank: Apprentice
5/18/2012 | 7:57:48 PM
re: ONC To Medical Practices: Get A Security Officer
The practices that I work with that have the best rate of success achieving MU, Medical Home etc... are the ones that have a clinical compliance person on staff. Not only is this person responsible for the privacy/security aspect, they also are charged with ensuring that technology is being used in that "meaningful way."
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Russian Cyber Gang 'Cosmic Lynx' Focuses on Email Fraud
Kelly Sheridan, Staff Editor, Dark Reading,  7/7/2020
Lessons from COVID-19 Cyberattacks: Where Do We Go Next?
Derek Manky, Chief of Security Insights and Global Threat Alliances, FortiGuard Labs,  7/2/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-3931
PUBLISHED: 2020-07-08
Buffer overflow exists in Geovision Door Access Control device family, an unauthenticated remote attacker can execute arbitrary command.
CVE-2020-15600
PUBLISHED: 2020-07-07
An issue was discovered in CMSUno before 1.6.1. uno.php allows CSRF to change the admin password.
CVE-2020-15599
PUBLISHED: 2020-07-07
Victor CMS through 2019-02-28 allows XSS via the register.php user_firstname or user_lastname field.
CVE-2020-8916
PUBLISHED: 2020-07-07
A memory leak in Openthread's wpantund versions up to commit 0e5d1601febb869f583e944785e5685c6c747be7, when used in an environment where wpanctl is directly interfacing with the control driver (eg: debug environments) can allow an attacker to crash the service (DoS). We recommend updating, or to res...
CVE-2020-12821
PUBLISHED: 2020-07-07
Gossipsub 1.0 does not properly resist invalid message spam, such as an eclipse attack or a sybil attack.