- Having strong HIPAA technical safeguards is essential for healthcare organizations of all sizes. However, it is also critical that those safeguards are not the only data security measure that covered entities rely on to keep data protected.
Jeffrey Wilson, Director of Information Services, Assurance and IT Security at Albany Medical Center discussed the importance of HIPAA technical safeguards with HealthITSecurity.com, adding that CEs must not solely rely on certain technical tools, such as encryption. However, believing that that is the answer to all data security threats is a major misconception in the industry, Wilson explained.
HealthITSecurity.com: What are some common misconceptions that you see in terms of HIPAA technical safeguards?
JEFFREY WILSON: I guess the common misconception would be to be too trusting. The conversation now is beyond just HIPAA compliance, but really is about security. We all should be at a place where we recognize that healthcare has to up its game when it comes to security, and we have to make significant investment in addressing technical safeguards. It would be a false sense of security to believe that that would be the final answer, that they're going to solve the problem – they're not. The major misconception would be putting too much trust in technical solutions, solving the security problem.
HITS.com: What potential benefits and risks/drawbacks are there with encryption options?
JW: The risks would be to the patient if the encryption were poorly managed. Or, if it was not thoroughly conceived. There's a potential loss of data, if you were to screw up management or whatever solution you're putting in place is not implemented correctly.
Many of the more common kinds of breaches, until the last 12 months or so, were people just stealing it all. For example, unencrypted laptops, unencrypted thumb drives, or unencrypted back up tapes.
We completed an initiative here within the last year where we encrypted every desktop hard drive. That's pretty extensive. Removable media should always be encrypted. By default we're encrypting greater than 95 percent of all outgoing email at this point.
However, even if you've encrypted everything, don't trust that that's going to solve all the problems. For example, in one of the big breaches, the media made a big deal of the fact that the database where the information lived wasn't encrypted.
At the end of the day, the true story was that the cyber criminals got access to the data. They didn't pick up and carry away this unencrypted database. They were given administrative credentials to the data. So you can encrypt all day long, you can build Fort Knox, you can build the most sophisticated castle that you've ever had, with all kinds of defenses known to man. But if somebody's going to hand over the keys, it's game over.
HITS.com: Talk to me about the importance of employee training in terms of technical safeguards.
JW: It's absolutely indispensable, absolutely top of the priority list. And I think it's the hardest one to solve because of people. Unless they've living in the security world, they're not thinking in those terms.
When the focus is on the business, the focus is on the patient, the focus is on the missions, how do you instill a culture of security to think, "Oh this is important, this affects me, this is one of the most important things I can do on behalf of my organization to take this seriously." And even with top level support, when it's forced from the top down, it's still very difficult to get that through people's heads. We still struggle with the basics: don't share your passwords, understand why we have to have the controls we have in place, don't try to circumvent our systems. Those are still things we deal with every day.
If you're paying any attention at all to what's been happening in healthcare in the last year or so, we're in a different place now. We've ascended to the same level – and maybe even beyond – as banking and retail industries as far as the necessity for security.
HITS.com: How can healthcare organizations best prepare for potential HIPAA audits when it comes to their technical safeguards?
JW: The Office for Civil Rights maintains a website that has the HIPAA audit protocol. It publishes exactly what steps they go through and what they look at when they come into an organization. What we do, and what I recommend, is for organizations to go by that audit protocol and measure yourself as if it were a real live HIPAA audit. For example, where do we stand? You have to be honest with the review. You really need to ask the hard questions, such as, if we put those credentials in place are they really going to solve the problem? A lot of protocols are designed to hold you accountable for those things, but at the end of the day the goal is to assure the privacy of the patients and the security of the data that you're maintaining on behalf of those people. Is the program you have in place, and the controls you have in place, do they measure up to that protocol? Also, do they succeed in securing the data? That's the only reason they create the protocols because left to our own devices, we come up with a thousand different ways to do them in.
HITS.com: What are key things to keep in mind when it comes to user authentication and access controls?
JW: Role based access. I think that's something that we've struggled with. How do you assure that an individuals' role within the organization translates appropriately to access in the system? I think that we're just getting to that point now where as an industry, that's being taken more seriously. But that is one of the requirements of HIPAA, that you maintain that role based access. So organizations need to put the effort into attaining some clarity on the roles within the organization and have that translated into system access. It's paramount because you know if the organization is one where people have to agree to a level of longevity, it's like a snowball rolling down the hill. The longer you're there, the more access you accumulate. And that's the exact opposite of what we're trying to achieve.
HITS.com: What advice do you have for healthcare organizations in terms of keeping their HIPAA technical safeguards up to date?
JW: It really comes back to the assessment and reassessment. We're required to do a risk assessment on an ongoing basis. That's on the application level, the enterprise level, and the network level. From there, organizations really must continue to look at all of those elements and try to elevate that to a place where you have a roadmap, you're being hard on yourself and questioning whether or not the controls you have in place are really the ones that you need. I think that it's a difficult thing to keep your own house clean. At the end of the day, bringing in competent reputable third party auditors and letting them look at your HIPAA program and letting them look at your cybersecurity program, those are just requirements for basic responsibility.
The CHIME CIO Features is a collaboration between Xtelligent Media, LLC, and the College of Healthcare Information Management Executives (CHIME), featuring leading hospital and healthcare system CIOs and their experiences in health IT implementation and innovation. For more information about CHIME, visit CHIMEcentral.org.