HIMSS17 Reflection: Security Driven to Forefront of Compliance
It’s wonderful to be surrounded by likeminded people seeking solutions to similar business challenges, and the annual HIMSS Conference and Exhibition always proves such an occasion for Health Information Technology (HIT) and Health Information Management (HIM) professionals. This year, over 42,000 HIT and HIM professionals, executives and vendors convened in Orlando for cutting-edge educational and networking opportunities.
My primary focus at the conference was to explore how today’s challenges can be turned into opportunities to strengthen MRO’s security posture and compliance stances, and also to provide more secure and efficient ways of exchanging Protected Health Information (PHI).
Privacy has come a long way in a handful of years, and now security is being driven to the forefront of compliance regulations. Here are some takeaways:
General Threat Detection
As the risk and threat landscape continues to evolve, organizations need to adapt. We must be ever-diligent in applying the proper safeguards, like implementing evolving and adaptive multi-tiered and multi-layered technologies to protect our sensitive assets, such as clinical, pharmacy or patient data. One specific threat facing healthcare organizations is ransomware.
Ransomware attacks – the hijacking and encrypting of an organization’s data by cybercriminals for purposes of extortion – are a major source of risk. These attacks are typically caused by employees clicking malicious links in emails or unknowingly opening files containing a malware virus, rendering data inaccessible.
Humans continue to be the weakest link in the healthcare security chain. Ongoing staff training can mitigate this risk. Regular training activities, like phishing exercises, can help instill security best practices in employees. Business Associates (BAs) should also provide regular ongoing training to their employees.
Third Party Vendor Management
Third party vendor management is another tough challenge facing the industry. Whether it comes from compliance requirements imposed by Covered Entities (CEs) on their BAs or requirements trickling down to vendors partnered with BAs, establishing trust and providing accurate assurances are necessary to operate in the medical space today. Risk assessments are a large part of this. Whether organizations are assessing themselves as part of their ongoing risk management programs, conducting formal third party assessments or engagement level assessments, all organizations need to conduct ongoing risk and third party due diligence.
The adoption of common privacy and security criteria healthcare organizations can attest to through groups like the Health Information Trust Alliance (HITRUST), and then trust many times over, has been slow but encouraging. Benefits of such attestation include minimized maintenance and management of third party assessments.
HIT and HIM professionals must be prepared to implement newer controls, provide more adaptive and holistic threat and breach management, and prepare to deal with and recover from the potential technical incidents impacting our organizations.
Learn more about third party vendor management in the MRO blog post “Four tips for Business Associate and subcontractor management.”