By Jack Daniel
To properly meet requirements, Health Information Technology (HIT) owners need to focus their attention on creating and operating a solid electronic healthcare IT security ecosystem. What comprises this ecosystem? How do you build it?
A properly built healthcare IT security ecosystem protects many walled and non-walled environments: information collection, storage, and exchange. Applying a suitably sized, best practices approach to these different security borders requires two critical elements: first, an appropriate mix and concentration of people, policies and processes; second, the correct portfolio of security technology. They must be distributed across a landscape of practices, data centers, and health information exchanges (HIE). The approach must be simple, scaled appropriately to address small-to-medium (SMB) healthcare organizations as well as larger organizations and provide the "armored car-equivalent" of transport for patient information. To build the secured ecosystems, several steps should be considered: 1. Understand the landscape; 2. Perform a risk assessment; 3. Build out a program consisting of policies and procedures, and implement the appropriate technologies.
Step 1: Understanding the security and privacy landscape
For HIT owners to begin building a security ecosystem, it is imperative that they first review the current security and privacy landscape.
Breaches in Healthcare
According to an SC Magazine article by Kevin Prince, 90% of all information compromised is in electronic format. The SC Magazine article also references a McAfee research study showing that one-third of these breaches could force SMB healthcare organizations to close their doors. When breaches occur, new regulatory requirements emerge, adding an unwelcomed layer of complexity for most organizations. Payment Card Industry Data Security Standards (PCI-DSS), the Health IT for Economic & Clinical Health Act (HITECH), and state privacy legislation have most organizations viewing security as an insurmountable challenge.
Multiple Regulatory Concerns
Several regulatory concerns must be addressed when taking steps to creating a secure healthcare IT ecosystem. Chief among them are:
HIPAA
The U.S. Congress enacted HIPAA in 1996. HITECH went into effect in 2010, extending HIPAA's ability to hold service providers and vendors with access to healthcare information accountable for compliance.
Meaningful Use Security Requirements
In order to meet EHR Meaningful Use requirements and qualify for federal reimbursements through the American Recovery and Reinvestment Act (ARRA), organizations must protect their electronic health information by implementing proper controls, including encryption.
State Privacy Laws
State privacy laws typically consist of technical controls, a written information security plan, and breach notification protocols. The most important take-away is establishing "reasonable" protection of consumer information.
Step 2: Risk Assessment
The assessment is where all the collected information is analyzed and quantified using a chosen framework. Many best practices frameworks -- authored as agnostic or as regulatory drivers -- are available, most notably those provided by the International Standards Organization (ISO), National Institute of Standards & Technology (NIST), and the Information Systems Audit & Control Association (ISACA). The recommended framework for a comprehensive assessment would be a "best of breed" framework rather than a best practices framework. A "best of breed" framework ensures that applicable regulatory drivers are mapped to a chosen best practices framework so regulatory compliance can be something that is painlessly monitored and reported. Information collected is compared against the control objectives or statements within the chosen framework, resulting in a quantified current state of your organization's security posture and pertinent compliance states. The following is a sample of the assessment (click for the full chart):
Step 3: Develop the Program
The next important step is to focus on building the policies and procedures. The development of a program charter focuses on government and security policies. It defines the roles and responsibilities within the program and ensures security activities are aligned with the organization's goals and objectives. A robust information security policy set ensures sensitive information is protected and aligned with regulatory concerns.
The procedure development process documents standards for technologies and processes in place. Procedures are a critical component to a security program and inform and enforce its implementation. This phase is also where processes and technologies identified in the framework are implemented.
Why a Healthcare IT Security Ecosystem Approach?
A healthcare IT security ecosystem approach enables healthcare organizations of all sizes to continually assess their security posture against changes in their business and the industry and evolve the security program accordingly, reducing recurring effort. It ensures critical assets are secured and healthcare information is kept private while constantly deflecting emerging threats and addressing current vulnerabilities. Becoming strategic in your security approach will create that "armored car" affect around your healthcare perimeter and contain breaches.
Jack Daniel is Security Team Leader and Principal Consultant at Concordant, which provides healthcare IT consulting services, specializing in ambulatory EHR adoption and implementation.