Unless patients trust healthcare organizations to protect their digital health data, they may be unwilling to allow it to be shared--which could have life-threatening consequences, John Benevelli, acting senior advisor for HIPAA Compliance and Enforcement in the Office for Civil Rights said at the recent eHealth Summit.
He spoke as part of a panel on privacy and security at the event sponsored by the Centers for Medicare & Medicaid Services. He urged healthcare organizations to perform risk analyses and then develop mitigation strategies to address the risks they find, including those posed by mobile devices such as smartphones and tablets, reports Clinical Innovation & Technology.
Risk analyses must be repeated as new devices come out, he said, and sanctions put in place for violating policy.
Marilyn Zigmund Luke, senior counsel and compliance officer for America's Health Insurance Plans also stressed the need for security policy and encryption if employees are allowed to use their own devices. Security requires "more than just a password," she said.
Mary Rita Hyland, vice president of Cooperative Exchange, advocated stressing that protecting patient data is everyone's job. And all systems must be tested before being added to the network.
"We have to think about the potential of privacy and security failing points in external and internal systems. It could come down to one individual having a bad day and inadequately testing a new release or updating something that was collected incorrectly," she said.
Indeed, Eastern European hackers accessed Utah Department of Health systems installed without changing the factory password. That breach affected nearly 800,000 people.
The extensive system and software upgrades required for implementing ICD-10 also provide a good opportunity for testing an organization's privacy and security systems, Hyland said.
The testing associated with ICD-10 is turning out to be far more time-consuming than many organizations had planned. Christine Armstrong, principal at Deloitte, has urged organizations to leave plenty of time to do a thorough job of it.
To learn more:
- read the article