Providers must look at how to go beyond just compliance-driven privacy practices since those alone do not equal security, according to panelists speaking Tuesday at the 24th National HIPAA Summit in the District of Columbia.
Angela Diop, vice president of information systems at D.C.-based Unity Health Care, said her organization is creating programs and systems that can help it move from compliance only into full security. That includes adopting a security framework and making sure Unity has a full risk program, as opposed to simply addressing issues one by one, Diop said.
Unity wants to be systematic about its approach to security, she added, and not wait around for audits to come.
Janelle Burns, privacy and security officer at Tennessee-based Baptist Memorial Health Care, also said that as programs mature, it is important for providers to look at data governance, and not just security by itself. That includes not only patient data, she said, but also business data, employee data and health plan data.
The panelists, who also included Clyde Hewitt, vice president and chief security officer at Allscripts, and David Holtzman, vice president of compliance at CynergisTek, agreed on the importance of providers starting with a systematic security framework.
"You have to pick one that fits with your organization, one that's systematic and consistent. If you're trying to pick and choose from various standards, you're going to end up with gaps," Burns said.
Holtzman added that organizations should use the framework as a tool to challenge themselves.
As for the roles of an organization's leaders when it comes to security, Burns said one of the most important aspects is a good relationship between the privacy and security team and the IT department. What each group does "goes hand in hand," she said.