Cedars-Sinai CIO: Patient expectations will drive data protection efforts

Healthcare organizations facing new and greater threats to patients' electronic health information need to take more steps to keep that data secure, according to Darren Dworkin, senior vice president of enterprise information systems and CIO of Cedars-Sinai Health System in Los Angeles.

"Hospitals have been great in developing a rich culture of safety," Dworkin (pictured) told attendees Tuesday at the seventh annual conference on health information security in the District of Columbia; the gathering is cosponsored by the U.S. Department of Health and Human Services' Office for Civil Rights and the National Institute of Standards and Technology (NIST). "There is no reason we can't offer the same commitment in privacy and security."

Noting that the industry is seeing "rapid changes" in technology, which is affecting how providers need to secure patient data, he warned that patient expectation--not healthcare regulations--will be the driver of protecting records, and that the growing issue will be "if their expectations have been met."

Several steps he said that organizations must take to safeguard patient information include:

  • Having a policy on encryption
  • Intrusion detection and prevention
  • Patching
  • End-user security awareness
  • Encouragement of reporting of breaches
  • Auditing of business associates, including making site visits
  • Proactive auditing

Dworkin also suggested that providers work with vendors to limit patient protected health information (PHI) use by design, since current EHR functions allow for the viewing of too much information at a time. He added that providers and vendors also work together to develop pattern and exception reporting, similar to what's used in the financial industry.

What's more, Dworkin said, providers should safeguard patient information through actions such as  putting a "security seal" on all emails, employing an organization to launch a phishing attack on the provider as an educational tool, placing security software on staff's personal devices used at work and deployment of secure texting.

"Our first answer simply can't be 'no'" he said.