Under HIPAA, healthcare organizations are required to conduct a periodic security risk analysis, but one executive says health systems should do a more comprehensive self-assessment that pulls in a broader scope of data.
A HIPAA-mandated risk analysis requires health systems to focus on security mechanisms that address patient health information (PHI), but a security self-assessment can pull important information that falls outside of the PHI classification, David Loewy, CISO at SUNY Downstate Medical Center, told Information Security Media Group. Fortunately, organizations can do both simultaneously by recruiting the organization’s audit team and tapping into resources offered by the Centers for Medicare and Medicaid Services (CMS) and the National Institutes for Standards and Technology (NIST).
“If you combine the two, you can kill two birds with one stone, and the outcome is certainly usable for the entire continuum,” Loewy said.
In addition to traditional PHI, SUNY Downstate’s internal assessment pulls in information from educational and research departments that could be impacted during a breach. The assessment also helps close gaps that might be identified during HIPAA audit.
The Office of the National Coordinator for Health IT (ONC) has previously said hospitals are struggling to meet basic HIPAA requirements and has hinted that providers may face more fines in the future. Loewy told Information Security Media Group that IT departments are overwhelmed and many have become “firefighters.”
“We put out the current fires; we don’t look forward and take a proactive role in risk amelioration,” he said.
In 2017, Loewy’s organization is focusing on restructuring policies and procedures across the system to bolster employee compliance, while ensuring risk assessment tools adhere to current best practices. User error has been the culprit of security breaches in the past, emerging as a concern among executives in 2016.