Healthcare Information Security

Cybersecurity News

How EHNAC Hopes to ‘Raise the Bar’ in Health Data Security

"We’re focused on risk mitigation of an organization having a breach, an incident, or a cyber attack.”

By Elizabeth Snell

- LAS VEGAS –The Electronic Healthcare Network Accreditation Commission (EHNAC) has been accrediting electronic healthcare networks since 1995, and is no stranger to understanding the importance of health data security.

Health data security discussed by EHNAC at HIMSS16

With the increase in cybersecurity threats and the subsequent push for organizations to connect to HIEs and become interoperable, Executive Director Lee Barrett says that it is critical to “raise the bar” on healthcare privacy and security.

That is a key goal through EHNAC’s accreditation programs, Barrett told, and that organizations will be guided through best practices, as well as operational and technical framework reviews. Moreover, EHNAC will work with entities to cover the current resources they have to support the products and services they’re providing.

“An organization goes through the reaccreditation every two years, and it’s a pretty rigorous process,” Barrett explained. “The intent is to raise the bar, and we’ve incorporated in that not only the privacy and security aspects, but also aspects of cybersecurity. We’re focused on risk mitigation of an organization having a breach, an incident, or a cyber attack.”

Healthcare organizations are concerned about their data today, according to Barrett, and the large-scale data breaches that are seen in the news continue to feed that concern. Whether it’s the government, such as what happened with the Office of Personnel Management, or a healthcare provider like Anthem, millions of records are being hacked at a time.

READ MORE: How AI Can Help Fight Healthcare Ransomware Threats

Cyber attackers are going after healthcare records because of their value, which is greater than credit card information alone, Barrett warned, and the attacks are likely not going to stop anytime soon.

“The only thing organizations can do is to put in the appropriate controls, have the appropriate policies and procedures in place, and have the rigor of a third party review,” Barrett urged. “That review is assuring that they’ve got the right type of infrastructure in place, the right types of controls, and a framework that they’re going through in an effort to mitigate that risk.”

Transparency is also key for EHNAC, according to VP of Operations Debra Hopkinson. EHNAC will work with organizations to ensure that their policies and procedures are sound, and that they understand how to properly follow them to best mitigate risk.

Even if an organization wants to be accredited within the month, Hopkinson explained that EHNAC will assign an individual to the case immediately and he or she will be there the entire process. 

Barrett agreed, adding that the transparency in how the accreditation programs work allow the industry to provide input. Those in the healthcare industry can also participate on the EHNAC criteria committee.

READ MORE: More Orgs Seeking Staff for Healthcare Privacy, Security Jobs

“We think that that’s important for organizations to have that level of transparency and know what they need to do,” Barrett maintained. “That helps to raise the bar for the industry.”

Working to mitigate cybersecurity risk in an evolving industry

It is not a surprise that cybersecurity is a “hot topic” in healthcare, according to Barrett, which is why it is so important for organizations to understand how they can adjust their security programs to best meet the challenge.

The phrase, “It’s not a matter of if, but when,” is especially true when it comes to healthcare cybersecurity threats, he added.

“The fact that you think you’ve got a small enough network that no one’s going to care about, those are exactly the types of networks [that will be attacked] because in most cases, providers don’t have the level of controls in place,” Barrett warned. “They’re far more vulnerable for an attack.”

READ MORE: How HIE Security Concerns Impact Patient Data Withholding

Both providers and patients need to care about health data security, he said, regardless of the type of data exchange that is in place.

“Whether it’s an HIE, an ACO, or a provider submitting data to a hospital, you have all these various exchange points that are all potentially vulnerable.”

It is extremely important for those in leadership roles, such as a hospital CISO or CIO to learn from the large-scale data breaches that took place last year.

“Every single one of these organizations are putting in very strong security environments and infrastructures,” Barrett said. “Many of them as well at the board level, because of these breaches and the exposure it’s causing in the industry, it is now front and center on an agenda for boards of directors and audit committees.”

Extreme controls and requirements are being put in place in their environments, as far as their security structure that they have to have, he added.

Those in leadership positions also need to ensure that they are evolving. Whether that means putting in new software, new controls, new policies an procedures, or revising what they’re doing in an effort to mitigate risk. Looking at intrusion detection and penetration testing is also important, according to Barrett. Healthcare leaders need to know what are they doing as far as alerts to be able to address any of these threats.

“All of that is very good for the industry to continue to evolve and put in more rigor and structure into the process, and how they look to meet, address, and remediate each of these threats when they’re occurring.”

 Editor’s note: Check back next week for Part Two of the EHNAC interview. 


SIGN UP and gain free access to articles, white papers, webcasts and exclusive interviews on

HIPAA Compliance
Data Breaches

Our privacy policy

no, thanks

Continue to site...