No 'silver bullet' for health data protection, security expert says

Healthcare companies and organizations must not focus solely on technology when it comes to protecting sensitive information, according to privacy and security expert Kate Borten.

"There is nowhere near a single silver bullet," says Borten, founder of privacy and security consultancy The Marblehead Group, in an interview with HealthcareInfoSecurity. "Anyone involved with an information security program understands that there are a gazillion strategies, controls and safeguards to protect data."

Prior to founding Marblehead, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center. She urges organizations to also consider physical security and notes that many of the controls required with HIPAA are administrative ones.

"That doesn't just mean a written policy or procedure, but all sorts of evidence that you're really following them with processes that are in place," she says.

Among providers--in all but the largest organizations--they're still really weak in terms of internal expertise in the field of information security, as well as resources, bodies and hours in the day, she says.

What's more, she says, with business associates' information security capabilities, it's all over the map.

Small provider organizations that are struggling to get their own houses in order should, at the very least, have pinned all of their business associates, whether in a database or spreadsheet, Borten says. With more resources, she recommends further probing of security policies, procedures and their training content. If you feel your downstream partner needs help, you might want to share your policies and training materials, she says.

In late May, the U.S. Department of Health and Human Services Office for Civil Rights confirmed that it has sent pre-audit screening surveys to covered entities that could be selected to participate in Phase 2 of the HIPAA audit program.

OCR previously said that about 350 covered entities would receive data requests for the audits, as well as 50 business associates.

Chris Ewell, CISO of Seattle Children's Hospital, takes the stance that if you focus on security, compliance will naturally follow.

To learn more:
- read the article