Government & Policy

Healthcare needs a security framework

By Lisa Gallagher
November 04, 2009
11:47 AM

Today's healthcare organizations are being urged to adopt electronic health records in the midst of complex legal and regulatory changes, especially in the areas of privacy and security. In this environment there is a clear need for a security framework specifically designed to help healthcare organizations build a security program that addresses all current data protection requirements.

For years, there has been considerable opinion in the healthcare industry that HIPAA does not adequately protect health data in today's rapidly changing IT environment.

The HIPAA security rule itself does not prescribe specific security controls. Instead it requires ongoing risk assessment as a basis for an organization's selection and maintenance of security controls. This inherent flexibility, both a benefit and a compliance challenge, has perhaps inhibited the ability of HHS to determine and enforce compliance and provide meaningful guidance, education and support to the industry.

The advent of ARRA has brought long overdue additional statutory requirements for "covered entities" as well as an extension of HIPAA to other entities. ARRA has additional requirements such as: breach notification, accounting of disclosures, new limits on the sale and marketing of personal health information, a right to restrict disclosures and increased enforcement.

There is general agreement that these new requirements will enhance health data protection. HHS will undertake rulemaking on these requirements in the near term, which is expected to produce greater specificity in individual standards.

However, greater specificity without the benefit of context within an appropriate security program framework still does not meet the needs of the industry.

There are many security frameworks and/or framework components in existence. But none individually meet the particular needs of healthcare organizations, nor do they clearly relate to an organization's business and strategic goals. A healthcare security framework developed and maintained by healthcare industry stakeholders is the best way to meet the needs of healthcare organizations.

This framework should include:

• A structure to which an organization can relate its security program that is independent of technology and technology platform.
• A description of common elements that an organization should have in its security program, implemented differently depending on compliance and risk requirements.
• A mechanism for mapping and assessing against current compliance requirements.
• A scalable model capable of integrating new or emerging requirements.
• Guidance resource for selection and implementation of appropriate security controls and processes.
• A means to determine effectiveness and compliance against measurable industry best practices.

HIPAA, like other data protection requirements, defines the categories of controls needed to assure protection of electronic personal health information, but it does not provide an information security framework. HIPAA assumes the implementation of controls within a common security framework—an assumption that has not come to fruition.

Facing an increasingly complex and costly security environment, today's healthcare organizations need nothing less than is already provided to other regulated industries with serious data protection requirements. They must have the tools and resources they need to implement a sound security program and meaningfully demonstrate compliance. It is time to address this disparity in healthcare data protection.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.

Top Story

Dan Cohen of Adhere+ on telemedicine
DEA role must be clearly defined in controlled substance Rx via telemedicine, expert cautions

Most Read

HHS publishes AI Strategic Plan, with guidance for healthcare, public health, human services
ASTP appoints 3 new health IT leaders: CTO, CDO and CAIO
DEA plans to create a special telehealth registration for prescribers
VA prescribers exempt from DEA's special telehealth registration
NZ gov't reshuffle prioritises health in 2025
Australia establishes CDIO role

Research

White Papers

More Whitepapers

Artificial Intelligence
Artificial Intelligence
Patient Engagement

Webinars

More Webinars

Privacy & Security
Privacy & Security
Privacy & Security

More Stories

Daymond John at Shark Group_Las Vegas skyline Photo by halbergman/E+/Getty Images
The inside story behind the 'Health Shark'
Stethoscope resting on tablet
HIMSSCast: Fundamentals of data governance - lessons from UNC Health, part 3
VA signage on building
VA's Oracle Health EHR experiences new widespread outage
Gymnast Simone Biles at HIMSS25
Simone Biles at HIMSS25 offers encouragement for mental health and self care
A doctor conducting an online consult in an office using a laptop
New Zealand to launch new 24/7 telehealth
Oriana Beaudet of the American Nurse Association Enterprise; Sameer Sethi of Hackensack Meridian Health; Adam Landman of Mass General Brigham; and Crystal Broj of the Medical University of South Carolina, speak at HIMSS25.
Emerge Innovation in Action at HIMSS25
Herko Coomans, international digital health coordinator at the Ministry of Health, Welfare and Sport
HIMSS25: Digital health policy collaboration with the GDHP
Alex McLeod of InterSystems, Gaye Bok of Mass General Brigham, Megan Zweig of Rock Health Advisory and Dan Gannon of iRhythm Technologies.
HIMSS25: Panel discusses interoperability in a fragmented data world