The Delicate Balance of Information Availability and Information Security in Healthcare

I remember when I couldn’t even get access to my own (paper) medical records!  I love that my clinic is now using electronic medical records (EMR), which makes my health information and my family’s easily accessible to our healthcare providers. This makes our care more efficient and effective.

Healthcare organizations are adopting new technologies to meet the objectives of the American Reinvestment and Recovery Act (ARRA) and Health Information Technology for Economic and Clinical Health Act (HITECH). One of the main goals is to speed up the transfer of information between care providers and increase accuracy, thereby ensuring treatment is both timely and appropriate.  The technology advances include using powerful mobile devices, cloud computing, and widespread wireless/wireline IP Networks.

The technologies will help improve patient care while making Protected Health Information PHI accessible quickly to those who are authorized and need that information to provide patient care (as well as pay for that care).  The healthcare ‘ecosystem’ is made up of various players, including patients, points of care, payers, clinical support, business associates, and information technology providers.  That means that many of the ecosystem players will need access to PHI to support the care of any such patients.  Now there is PHI traversing into, stored throughout, and traversing out of these various organizations.  The flow of such information raises security concerns.

How can the healthcare community reduce risks to PHI while improving patient care?

Establish a security program and architecture foundation that is agile (allowing the organization to change and update the security program based upon evolving business needs and subsequent risks). The program should involve trusted to partners, business associates, and those in the healthcare ecosystem (but most importantly patients). It should also be transparent.

  1. Adopt and implement a framework that is acceptable in the healthcare industry, meets security and privacy requirements, addresses risks specific to the industry, and provides guidance and controls based upon those risks.  The framework reduces the effort of addressing multiple compliance requirements, and addresses areas of risk that are not included within regulatory requirements. Organizations need to think beyond compliance and move towards risk management.  Compliance does not equal security.  The framework provides a foundation, and is agile and flexible enough to incorporate changing business needs and security requirements.
  2. Healthcare organizations need to balance the operational needs for availability of patient information with the need to protect that information from unauthorized disclosure.  This can be accomplished by assessing the risks to data.  Risk management is an ongoing process and can be incorporated into existing processes (e.g., SDLC, technology evaluation, BA relationships, IA audit plan) and stand alone processes (ongoing vulnerability management, external third-party assessments).  With a solid foundation and a baseline risk assessment, organizations can start benchmarking their program, show maturity year after year, and continually update strategic plans based upon risks, with the end goal of moving from a reactive state to a proactive state.
  3. Compliance in healthcare requires transparency in reporting across enterprise systems, IT networks, and extended business relationships.  Creating transparency means the ability to track and monitor the state of security, risks/vulnerabilities, and action items impacting PHI across the organization.  This occurs when the business and IT work together to protect the data so that the organization knows where the data is and can apply appropriate protection measures.

Please see the infographic that we have created to delineate the risks within the healthcare industry and offer tips to address those risks.

Carisa Brockman Security Consulting Services Practice Director AT&T About Carisa