NetSPI Imformation Security Consulting
NetSPI Blog

Posts Tagged ‘Healthcare security requirements’

Observations from HIMSS

| Wednesday, March 10th, 2010

I was at the Healthcare Information and Management Systems Society (HIMSS) national conference last week in Atlanta. Overall, the conference wasn’t much different than past years. From an information security perspective the presentations and conversations were limited, but there were a number of interesting things that I took away from the conference. 

First and foremost, healthcare is still very far behind other industries in addressing security concerns at the application provider, hospital and insurer levels. It appears that the larger application providers have begun to address certain concerns; e.g., most healthcare software companies are beginning to address compliance. What’s interesting is that PCI and PCI PA-DSS are the main drivers forcing these organizations to at least review their products. This is obviously backwards, since any healthcare organization would claim that patient information is more important than credit card information, but it’s a testament to how important the stick of strong regulations and standards are when it comes to affecting change in a specific industry. Healthcare software companies still don’t view security or third-party review of their applications as important, but having seen the findings after many of these applications have gone through review, it’s something they will realize that they need to do.

Hospitals and insurers are similarly behind in developing strong information security programs, however many organizations are doing the right thing. It appears that it is mainly larger organizations (revenues $5B+) that have well developed security programs that address risk and compliance programmatically. These organizations generally have the funding and executive support to develop programs that are essentially what you would find in a similarly sized and well-managed Fortune 500 firm. The smaller firms ($5B and less) are generally much farther behind other similarly sized organizations in other industries. Many are just addressing PCI and are just starting to think about how they are going to truly address securing protected health information (PHI).

Based on these observations, there is a lot of work to be done to improve information security within healthcare. One would hope that the discussion surrounding this would take place at a conference like HIMSS. While security was not a main track at the conference, there were some discussions on security at HIMSS within the context of the American Recovery & Reinvestment Act (ARRA) and electronic medical records (EMR) security, including a daylong ARRA seminar on Sunday before the formal conference opening. However, since ARRA isn’t focused on security, the coverage of information security within these presentations tended to be somewhat limited.

It was very interesting that the Health Information Trust Alliance (HITRUST) was not discussed much at the conference. As the most comprehensive and usable solution for healthcare security, there weren’t any sessions on the topic and even conversations surrounding it were heavily overshadowed by discussions about ARRA. As one of the most valuable new initiatives for enhancing healthcare information security, hopefully this will change next year as the industry begins to understand how the HITRUST security framework can be of value to them.

With all the focus and money targeting healthcare IT, the next year will be very interesting and addressing security should be a high priority. Ideally, with the massive amounts of new funding available, more organizations will adopt a risk-based approach to their businesses, backed up by a strong information security program. As illustrated by the success of PCI (even within healthcare), it will probably take a combination of drivers to achieve this, including a strong dose of regulation to force changes within the healthcare industry. Hopefully, the outcome will incorporate standards such as HITRUST to ensure consistency, maturity, and higher levels of security within the healthcare industry.

Permalink | Email the Author | No Comments

Tags: , , ,

Healthcare Organizations and Tighter Security Requirements

| Tuesday, August 11th, 2009

Because of increasing threats, high-profile data breaches, and increased awareness of the damage they cause, we anticipate a substantial tightening of regulations and contractual requirements that will significantly impact information security in healthcare.

Today, HIPAA, CCHIT, and state breach notification laws are the main standards that govern security within healthcare systems that deal with protected health information (PHI). But these are generally high-level requirements with low levels of enforcement. The American Recovery and Reinvestment Act (ARRA) of 2009 contains legislation mandating broader and deeper security for healthcare, and the consensus view is that more legislated regulations will follow.

The Healthcare Information Trust Alliance (HITRUST) is an industry group that has developed a set of standards, the Common Security Framework (CSF). This set of standards generally follows industry best practices and is very comprehensive. Important members of this group (Humana, United Health Group, Blue Cross Blue Shield, and Columbia HCA, to name a few) are pushing to mandate these standards across the industry. It is possible that many of these standards will be adopted by the group members through a contractual stipulation that the software they purchase meet the HITRUST CSF standards.

In addition to HIPAA and CSF, Payment Card Industry (PCI) standards also affect healthcare payers and providers when credit card information is involved in any way (processing, storing, or transmitting). For healthcare payers and providers, the PCI Data Security Standard (PCI DSS) applies. For healthcare software providers whose applications touch credit card data, the PCI Payment Application Data Security Standard (PA-DSS) applies.

It is likely that the Obama administration will implement much stricter security standards in healthcare, in conjunction with its emphasis on greater use of electronic health records (EHR). It is also likely that these standards will follow industry best practices and be based on the most successful existing standards, such as PCI and HITRUST. Based on this likely increase in regulations and the increasing number of threats, healthcare organizations should develop a risk-based security strategy that includes industry best practices using HIPAA, CCHIT, PCI and HITRUST as a guide.

Permalink | Email the Author | No Comments

Tags: , , , , ,