Hospital CISO: External risk assessments key to ensuring security

Providers should not underestimate the value of external risk assessments, no matter how strong similar internal programs seem to be, an IT security official at Einstein Healthcare Network in Philadelphia said.

Einstein Chief Information Security Officer Anahi Santiago, speaking with, said that regular third-party assessments are integral to ensuring IT safety and compliance at the seven-hospital system. Einstein, she said, has been conducting external assessments--in addition to internal assessments--for nearly a decade.

"The organization felt strongly that a third party coming in and conducting an organization-wide risk assessment gave us a better perspective and would prepare us for a potential audit," Santiago told "Though I think we would be ready … having a third party come in would prove that we're doing everything that we can to be compliant with HIPAA."

Last December, IT and security officials at Boston-based Partners HealthCare echoed those sentiments, saying that organizations must be proactive about privacy and security efforts. Then-CISO Robert Jennings Aske said that Partners likes to try to conduct third-party risk assessments while ignoring products claiming to be HIPAA compliant.

In March, the U.S. Department of Health and Human Services unveiled a new security risk assessment tool, aimed at helping providers in small- and medium-sized offices conduct risk assessments of their own organizations. The tool is the Office of the National Coordinator for Health IT's first app.

However, industry feedback on the tool to date has been less than stellar. The Healthcare Information and Management Systems Society called the tool confusing and clunky in a May 27 letter to National Coordinator for Health IT Karen DeSalvo.

Meanwhile, attorney Richelle Beckman of the Overland Park, Kansas-based Forbes Law Group called the tool imperfect, citing that only one person in an organization can use it at a time.

The permanent HIPAA auditing program will be narrower in scope than the 2012 auditing pilot program, with fewer site visits. About 350 covered entities will receive data requests this fall, and 50 business associates will be notified in 2015.

To learn more:
- read the article