Healthcare and Technology news
42.8K views | +10 today
Healthcare and Technology news
Your new post is loading...
Your new post is loading...!

Are you doing your security framework right?

Are you doing your security framework right? | Healthcare and Technology news |
It turns out many healthcare organizations get more than a few things wrong about their information security frameworks – big time. Whether it's about properly integrating a framework or even appropriately tailoring a framework, there's a list of items organizations should pay attention to. 
If done right, information security frameworks can be used to meet an organization's risk analysis requirements under the HIPAA Security Rule, in addition to helping define a "baseline of protection," said Bryan Cline, senior advisor at HITRUSTAlliance, but that's only if they're properly selected and implemented. And many organizations don’t necessarily do this successfully. 
Cline, who will be speaking at the Healthcare IT News Privacy and Security Forumthis March in a session on data security framework need-to-knows, says the biggest oversight he sees organizations make "is in not tailoring the framework appropriately." Added Cline, "organizations either rely on the framework without tailoring the requirements to address all reasonably anticipated threats, or they tailor the framework's requirements – usually by removing some of them – without fully understanding the additional risk that's incurred."
Sure, a security framework will help in the compliance arena, but improper tailoring and failure to keep it updated will inevitably lead to information-related risks being inadequately addressed, he said. This up-to-date piece is crucial, Cline said, because "frameworks also grow stale over time, as it can take several years for most frameworks to be updated and released."
Another big oversight, as Cline pointed out? Failing to integrate the framework into everyday operational processes. "For example," he said, "personnel with security responsibilities – whether in the security organization or elsewhere (e.g., HR or IT) – should be tied to the framework's controls and the security services that support their implementation." This, he added, would allow organizations to manage risk through managing the security services.
Cline, who is also the managing partner for Cline & Shiozawa Professional Services and previously the chief information security officer at Catholic Health East and The Children’s Hospital of Philadelphia, at his forum session will go over security risk management frameworks and how they can be leveraged and used in an organization's data protection programs. This includes, as Cline pointed out, how they can use these frameworks to meet risk analysis requirements under the HIPAA Security Rule. 

No comment yet.!

Study: Nearly half of patients would withhold data from providers

Study: Nearly half of patients would withhold data from providers | Healthcare and Technology news |

Nearly half of patients participating in a trial looking at patient control of the medical records withheld clinically sensitive information from some or all of their care team.

The Regenstrief Institute, Indiana University School of Medicine and Eskenazi Health (formerly Wishard Health Services) conducted the six-month trial involving 105 patients at a primary care clinic. Patients were allowed to designate who could see their records, including information on sexually transmitted diseases, substance abuse or mental health.

Patients were able to hide some or all of their data from some or all providers--and 49 percent of them did. However, healthcare providers were able to view the hidden data, if they felt the patient's healthcare required it, by hitting a "break the glass" button on their computer screens, according to an announcement.

While patients strongly favored control over their records, providers had mixed reactions. In the trial, 54 percent of providers said patients should be able to control who can see their electronic health record data; 58 percent said restricting providers' access could be harmful to the patient-physician relationship; and 71 percent said withholding data in the EHR would have a negative impact on the quality of care.

The five research papers from the trial, including a point-counterpoint, make up the January 2015 supplement to the Journal of General Internal Medicine.

The growing ability to collect different data sets on patients has been both a curse and a blessing for the industry.

Since recommending that social and behavioral data be included in EHRs, the Institute of Medicine has a committee working out exactly which pieces of information it considers most relevant to health. It has winnowed its recommendations down to 11, including educational attainment, financial resource strain, stress, depression, physical activity, social isolation, and intimate partner violence.

However, a provider's use of an electronic health record can cause a patient to clam up for fear that the data won't be secure, according to a study in the Journal of the American Medical Informatics Association (JAMIA).

In addition, data segmentation poses a problem in EHRs, with teen privacy a particular challenge. Providers, however, worry that without segmentation capabilities, patients will be reluctant to divulge facts about themselves that could have a vital bearing on their care.

No comment yet.