The first HIMSS Privacy & Security Forum in the western U.S. proved to be a success and was attended by over 300 people including attendees (CEs and BAs), speakers, exhibitors, and partners. We reconnected with several clients and met new friends at our booth, which was located right in the middle of the action. We also co-hosted a dinner with our partner, Voltage Security, and enjoyed catching up with old acquaintances and meeting new ones.
The agenda was full of hot topics including the opening keynote address by Jim Doggett, Senior Vice President, Chief Security Officer & Chief Technology Risk Officer at Kaiser Permanente, who spoke about the advances in technology that are dramatically changing the risk landscape for healthcare organizations. Mr. Doggett pointed out how privacy and security initiatives must evolve constantly to address new and growing threats. One interesting slide he shared with the audience was this one (slide #4), which shows the plethora of technologies where data resides and must be protected.
Another challenge we heard about from several attendees was around the issue of de-identification. Organizations need to understand why the de-identification of protected health information (PHI) is important, especially since it provides Safe Harbor in the event of a breach. Covered entities and their business associates currently face the challenge of realizing value from healthcare data while protecting patient privacy and de-identification can provide a way to satisfy both needs…there’s more information on this topic in this perspective paper.
Iliana Peters from the OCR drew a huge crowd when she presented the HIPAA Update that provided an overview of the permanent audit program they plan to launch on October 1st. An important item to note here is that they will not allow any ‘back and forth’ during the desk and onsite audits; there will be just one chance to get it right, therefore it’s important that you get your house in order in the form of evidence libraries and the like, so you can be ready in the fall. More info about audit preparation can be found in this perspective paper.
A well-attended panel about the latest issues surrounding medical device security was nicely represented by both the technology side (Kevin Fu, Associate Professor at the University of Michigan) and the application side (Tom August, Director of Information Security at Sharp Healthcare). Attendees were glued to this session as they tallied up their estimated medical device numbers to 50,000, 100,000 and more. Mr. Fu and Mr. August said that as more data from medical devices are fed into EHRs on a provider’s network, finding ways to secure and protect the devices from viruses and other cyber threats has become a vital part of any comprehensive security program. More about the latest and greatest on medical device security can be found in this perspective paper.
Finally, the topic of virtualization was addressed by panelists in discussions ranging from ‘how do I protect data in a BYOD world?’ to ‘how can I boost networking and security?’ They also covered the recent HIMSS Analytics Cloud Survey and these challenges around cloud security:
A lack of HHS guidance on how HIPAA applies to cloud computing.
What if a cloud vendor was unaware it was hosting PHI for a covered entity?
No guidance or audit protocols specific to business associates exist today.
How to handle patient rights and breaches when you may not know what information you have?
In a nutshell, many speakers pointed out the message in the Information Week article about how Target and the other retail giants that were breached recently were actually more secure than today’s average healthcare organization. So the key message echoed at the conference was simply this: Compliance does not equal security. This is exactly what we’ve been helping our clients with – a full-fledged, comprehensive risk management program that protects your data wherever it resides so that your HIPAA compliance goes beyond just a check in the box.