When it comes to data security in the healthcare industry, it is a matter of finding the balance between technology, personnel and good governance structure, according to two information security experts.
Ron Raether, partner at the law firm Faruki Ireland & Cox, and Andrea Hoy, CEO of the consulting firm A. Hoy & Associates, spoke with HealthcareInfoSecurity.com about the importance of improving data governance for healthcare organizations.
Currently, the industry is doing "a fairly decent job of embracing the policies and procedures to handle many of the very visible known exposures of privacy data," Hoy said in the interview. However, she also said there are constraints, such as the use of legacy applications and systems, which makes it difficult to upgrade security because organizations have to consider how the upgrade will impact those systems.
One of the biggest health data breaches recently is the Community Health Systems breach that impacted about 4.5 million patients.
Regarding that breach, Hoy said there are two areas where CHS can improve its governance program: Patching for devices--an unpatched device allowed the Heartbleed bug to access CHS' system; and vulnerability management.
Raether said that the number of gateways and ways people can hack into healthcare systems is also a problem, one that is more unique to healthcare.
"When you're dealing with five, six, seven people having to get into the system through the same device, those perimeter security measures become more complicated," he said.
Hospitals have to start looking deeper into the system, looking for abnormal behavior, Raether added.
When it comes to having a good data governance program, an organization needs to get involved early on in the process with the right shareholders when onboarding new technology, Hoy said.
In addition, organizations should ensure that they have input from shareholders as to what they want to accomplish with the new tech, because then they can wrap the governance items around that to improve the governance program, she said.
The American Health Information Management Association has been at the forefront of the push for better information governance in healthcare.
A recent white paper by the association showed that healthcare organizations still have a long way to go with improving their information governance practices. In AHIMA's survey, of the 1,000 healthcare professionals who responded, 35 percent did not know whether their organization had any information governance efforts underway or did not recognize a need for them.
In addition, AHIMA and the College of Healthcare Information Management are working together on information governance and standards.
To learn more:
- listen to the HealthcareInfoSecurity.com interview