magazine
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
The growing threat<br />
to the security of<br />
our health data<br />
By Brad Tritle, global product owner for Vitaphone<br />
Health Solutions and co-founder of eHealth Nexus<br />
Shutterstock © Syda Productions<br />
For 2015, there are three areas of<br />
health IT security (and privacy)<br />
that I believe will be taken much<br />
more seriously than in the past:<br />
HIPAA training (an American law<br />
that helps to guarantee security<br />
of health data for patients),<br />
role-based access and security<br />
of mobile device applications.<br />
Anyone who has worked at either<br />
a HIPAA-covered entity or business<br />
associate has undergone some form<br />
of HIPAA training, and then signed an<br />
agreement indicating that they have<br />
been trained and will comply with<br />
HIPAA, with intentional noncompliance<br />
serving as cause for<br />
release from employment.<br />
When I served on The Office of the<br />
National Coordinator’s Health<br />
Information Security and Privacy<br />
Collaborative (HISPC) several years<br />
ago, we found that most healthcare<br />
providers erred on the side of doing<br />
more than HIPAA required from a<br />
privacy perspective. Since that time,<br />
however, security requirements (e.g,<br />
HITECH) and associated threats have<br />
increased. Meaningful Use (MU) has<br />
both required performance of HIPAA<br />
security audits for those wanting their<br />
MU payments, and created a marketplace<br />
where other organizations, such as<br />
HIPAA Business Associates, can more<br />
readily perform such audits. The result:<br />
stronger security guidelines are being<br />
put in place across the industry, and<br />
employees will be required to not just<br />
sit through a 30-minute video, but to<br />
be thoroughly trained and tested on<br />
specific employee requirements that<br />
will facilitate the organization’s<br />
HIPAA compliance.<br />
Role-based access, or the ability for a<br />
healthcare professional to have only<br />
access to the protected health<br />
information for which he is authorized<br />
(e.g., a treating physician looking at the<br />
record of the patient under their care),<br />
is going to become more granular.<br />
Many in-patient, ambulatory and payer<br />
systems have facilitated a single user<br />
having practical access to any patient<br />
record on that system, regardless of<br />
whether there was a reason for that<br />
8 welivesecurity.com