I was at the Healthcare Information and Management Systems Society (HIMSS) national conference last week in Atlanta. Overall, the conference wasn’t much different than past years. From an information security perspective the presentations and conversations were limited, but there were a number of interesting things that I took away from the conference. First and foremost, healthcare is still very far behind other industries in addressing security concerns at the application provider, hospital and insurer levels. It appears that the larger application providers have begun to address certain concerns; e.g., most healthcare software companies are beginning to address compliance. What’s interesting is that PCI and PCI PA-DSS are the main drivers forcing these organizations to at least review their products. This is obviously backwards, since any healthcare organization would claim that patient information is more important than credit card information, but it’s a testament to how important the stick of strong regulations and standards are when it comes to affecting change in a specific industry. Healthcare software companies still don’t view security or third-party review of their applications as important, but having seen the findings after many of these applications have gone through review, it’s something they will realize that they need to do. Hospitals and insurers are similarly behind in developing strong information security programs, however many organizations are doing the right thing. It appears that it is mainly larger organizations (revenues $5B+) that have well developed security programs that address risk and compliance programmatically. These organizations generally have the funding and executive support to develop programs that are essentially what you would find in a similarly sized and well-managed Fortune 500 firm. The smaller firms ($5B and less) are generally much farther behind other similarly sized organizations in other industries. Many are just addressing PCI and are just starting to think about how they are going to truly address securing protected health information (PHI). Based on these observations, there is a lot of work to be done to improve information security within healthcare. One would hope that the discussion surrounding this would take place at a conference like HIMSS. While security was not a main track at the conference, there were some discussions on security at HIMSS within the context of the American Recovery & Reinvestment Act (ARRA) and electronic medical records (EMR) security, including a daylong ARRA seminar on Sunday before the formal conference opening. However, since ARRA isn’t focused on security, the coverage of information security within these presentations tended to be somewhat limited. It was very interesting that the Health Information Trust Alliance (HITRUST) was not discussed much at the conference. As the most comprehensive and usable solution for healthcare security, there weren’t any sessions on the topic and even conversations surrounding it were heavily overshadowed by discussions about ARRA. As one of the most valuable new initiatives for enhancing healthcare information security, hopefully this will change next year as the industry begins to understand how the HITRUST security framework can be of value to them. With all the focus and money targeting healthcare IT, the next year will be very interesting and addressing security should be a high priority. Ideally, with the massive amounts of new funding available, more organizations will adopt a risk-based approach to their businesses, backed up by a strong information security program. As illustrated by the success of PCI (even within healthcare), it will probably take a combination of drivers to achieve this, including a strong dose of regulation to force changes within the healthcare industry. Hopefully, the outcome will incorporate standards such as HITRUST to ensure consistency, maturity, and higher levels of security within the healthcare industry.
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.