Physician Practice

Trends affecting privacy and information security

Physician Practice Insider, December 16, 2014

Privacy and information security programs in healthcare organizations have developed and matured to meet the requirements of HIPAA and other federal and state laws, but in some organizations, providers and managers struggle to keep pace with the changes. Expanded focus on EHR technology and new threats to the security of personally identifiable information (e.g., healthcare, financial, educational, employment) will further affect privacy and information security programs in the future.

Examples of key trends affecting healthcare organizations that may have significant impact on the evolution and priorities of privacy and information security programs include the following.

Explosion of data
The explosion of data comes with increasing focus on the criticality of an organization's information assets. Digital data is rapidly accumulating, affecting all areas of an individual's life and the community at large. Data mining techniques, data banks, and other repositories can analyze and predict individual behavior and personal preferences. Government data collection and activities have increased.

New and evolving organizations in healthcare have tremendous appetites for data as they seek to actualize their missions and meet national goals and mandates for improving the healthcare system. Some of these new organizations include accountable care organizations (ACO), medical homes, health insurance exchanges, and health information exchanges (HIE) and eventually a national HIE network will join this group. Meanwhile, providers and members of the healthcare community across the healthcare spectrum are participating in these ventures. All this is occurring while organizations attempt to maintain or reduce costs, improve care coordination, and improve the overall quality of healthcare provided to individuals, families, and communities.

Mobility and mobile computing
The proliferation of mobile devices that connect friends, families, communities, regions, and the world is staggering and growing. Mobile device management and security ranks among the top two primary concerns in most surveys of information security professionals and chief information officers.

In healthcare, as in other sectors of the economy, managers and information security officers struggle to implement safe, effective BYOD (bring your own device) policies. This is particularly troublesome for healthcare entities where technology is transforming how providers communicate. Mobile communication can improve care coordination, but security management of devices lags behind their communication capabilities. Some organizations emphasize the need for security of patient information in personal mobile device transmissions and impose policies that are often difficult to implement and monitor on an ongoing basis. Other organizations are investing in tracking and monitoring systems, technical controls such as encryption, network access control, mobile VPNs, remote lock and wipe functionality, mobile anti-malware solutions, and digital rights management. Many of these approaches are new to healthcare; implementation requires staff time and additional resources. Providing clinicians and others safe, secure, and effective mobility solutions is a major theme and challenge in healthcare.

Use of social media
Social media participation is common in healthcare, as in other businesses. Typically, an organization's code of conduct and human resource policies address the use of social media, including appropriate use and guidelines for use on the job. As social media use continues to expand in all areas, organizations that forbid or limit the use of social media by their workforce may be delaying the inevitable.

Social media becomes a strategic issue for organizations that decide to use it as a strategy for improving or enhancing market share, interacting with the community, or collaborating with colleagues in caring for patients or conducting research. This takes the use of social media beyond human resources and workforce policies for acceptable use.

Healthcare organizations should develop a plan for social media. The planning process should include all stakeholders (e.g., marketing, administration, information technology [IT], security, privacy, human resources, physician, and nursing staff members). A plan should include specific goals for use of social media as an organizational strategy. Other provisions should address evaluating the use of social media and monitoring its effectiveness. Most importantly, the privacy and information security officers should participate in the planning process from the beginning to help protect the organization's assets and reputation.

Cloud computing
The National Institute of Standards and Technology (NIST), a division of the U.S. Department of Commerce, is well known for its technical leadership and analysis supporting the advance and productive use of IT across all industries. NIST defines cloud computing as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction."

Cloud computing comes in a variety of service models and deployments, ranging from public software- as-a-service (e.g., EHRs and email accessed solely through Web browsers), to private infrastructure-as- a-service (e.g., a healthcare provider that pools hardware resources to provide departments access to shared data processing and storage). It offers scalability, flexibility, and cost advantages that may help healthcare organizations remain competitive during challenging economic times. But do cloud services provide the privacy and security of data that healthcare organizations require?

Despite their concerns, healthcare organizations are moving data to the cloud and outsourcing operations to vendors. This trend reflects the increasing pressure to reduce operating costs associated with networks, systems, and applications, as well as the capital expenditures necessary to expand and upgrade on-site data centers to meet increased demand for computing resources, particularly mobile technologies. Cloud computing is seen as a way to deploy new technologies more rapidly and to provide more user flexibility.

Healthcare providers should enter cloud computing arrangements with caution and their eyes wide open. Partnering with a cloud computing provider can help healthcare organizations meet their challenges, but providers must carefully evaluate data security risks posed by moving applications, systems, and networks to the cloud.

Cloud providers are considered business associates (BA) and are responsible for complying with all provisions of the HIPAA Security Rule, but healthcare organizations maintain ultimate responsibility for managing their data and complying with legal and regulatory requirements. Moving to a cloud environment is a business decision that must be approached with caution. It requires evaluating the vendor's ability to provide safe, reliable services. However, providers remain responsible for ensuring the confidentiality of the information.

Click here to read more. This article originally appeared on HCPro’s Briefings on HIPAA.

Most Popular