Healthcare Organizations Pressed By HITECH, HIPAA Security Pressures

The flurry of activity around security in the health care industry is largely a product of the HITECH (Health Information Technology for Economic and Clinical Health) Act, passed as part of the Obama administration's stimulus package passed a year ago. The act takes a carrot-and-stick approach to spur the conversion of all patient information to electronic health records. The federal government is offering $19.2 billion in incentives to organizations that meet its requirements, starting in 2011. On the other hand, the act provides penalties for non-compliance starting in 2015 and stiffer penalties for violating HIPAA, which has been largely unenforced.

The message to health care organizations struggling to protect patientinformation and other sensitive data under the HITECH Act, HIPAA andother compliance mandates is no different from the one enterprisesacross every vertical are hearing: Implement a risk-and standards-basedapproach across the organization and you're likely to succeed. Focus ontechnology and operations, and you'll certainly fail. "Make sure you've done good job of organizing around security throughout the organization," said Brian Cline, director of information security at Catholic Health East. "Adopt a governance model to have successful security, otherwise security will just be an IT problem."

Security tends to get short shrift if it is left solely in the hands of operational groups said Cline, speaking as a member of Verizon Business-HITRUST panel on the impact of regulatory initiatives on healthcare IT security. "A lot of times operations will trump security," he said. "The role of the CIO is to keep the lights on. The use of digital records puts tremendous pressure on healthcare organizations to implement comprehensive data security programs.  This applies not only to healthcare organizations but their partners, as HITECH extends security requirements to business associates. The act also requires disclosure for breaches of patient information, quite similar to the customer information disclosure laws enacted by more than 40 states.

"Underpinning this drive to IT modernization will be an information explosion in health information exchanges, regional health information organizations, and far greater connectivity within hospitals, between hospitals, and between hospitals and practices," said Graham Ward, HITRUST director of education and training. As we see this huge increase in electronic health data, criminals are already stepping up their attacks on healthcare systems, he warned. Without proper security, "modernization will grind to a halt."

Healthcare organizations have to deal with other compliance mandates, such as PCI DSS, in addition to HIPAA and HITECH. Security is also being driven by audit and assurance requirements between primary information holders (i.e., hospitals and physicians) and business partners, who either use their own criteria or any one of a number of standard frameworks. In response, HITRUST developed the Common Security Framework (CSF), a healthcare-specific, prescriptive set of security controls mapped to elements of recognized standards, such as NIST, and regulatory requirements, such as HIPAA and PCI. "Trust is key," said Michael Frederick, CIO at Baylor Healthcare system. "It will be extremely critical that one organization will have to rely on other organizations' risk posture before agreeing to share information. The primary reason Baylor became involved with HTRUST was to drive consistency between organizations and establish that trust."