<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=176170952734135&amp;ev=PageView&amp;noscript=1">


Un-complicating Healthcare IT

Health IT Security: A Problem Not Going Away

Dec 11, 2015 7:30:00 AM Posted by Jim Tufts | Leadership Solutions Team Lead

If there was one (or two) things I could change overnight in Healthcare IT, it would be security and usability.

According to the peer60 (p60) 2015 Healthcare Data Security Research Report, 96% of hospitals say health information security is a huge priority for them, and of those, 30% said it was their #1 priority. 2015 held up to it's predicted name, "The year of the cyber attack," and in 2016, securing Patient Health Information (PHI) is still on the top of the priority list for most. 

Not only is it a concern for healthcare leaders to keep EPHI secure, it's also a concern of patients as well. In this Software Advice Survey21% of patients said they were so concerned with data breaches they withhold personal information from their physicians. 54% of patients said they would switch healthcare providers as a result of a data breach. 

 So, what can you do? Here are a few places to start when keeping EPHI secure in 2016: keyboard_securityyellow.jpg

Get an In-depth Risk Assessment: 

First, identify every system that contains EPHI and analyze all threats & vulnerabilities and what impact they may have on your systems. Document your existing controls, determine if residual risk level is acceptable, then develop a roadmap for remediation of unacceptable risks. You'll then want to obtain Executive and Board acceptance of those remaining risks. 

Develop a comprehensive information security program

The first step in your information security program is to effectively address risks identified through the risk assessment that you've had performed. Next, you must include a detailed IT Disaster Recovery Plan, which provides for the orderly restoration of systems and operations. Test and revise your DR plan as needed. 

Frequently test controls, policies & procedures and audit compliance with the program by conducting internal audits, periodic external audits, annually and after a security incident. Periodically review your information security program and revise as needed. Remember, HIPAA compliance is not the end game – it’s the starting point…

Educate, Educate, Educate

It's important to develop and deliver comprehensive security training for every workforce member. Provide numerous security reminders (here's an example of one) to your team and frequently audit compliance with security measures and assess workforce security awareness. Then continue to review and revise as needed to address new threats as they emerge. All of this will help in creating a “security oriented” culture. 

Keep current on security news

You can monitor threat/vulnerability alert sites, such as the US-CERT (Computer Emergency Readiness Team)'s National Cyber Awareness System (NCAS) Subscription Service or Sans Institute NewsBites, for major security alerts, bulletins, tips. You can also look to security-related sites such as , Symantec, Trend Micro, Kaspersky, etc.

Get Cyber Security Insurance

Most commonly, cyber coverage is some combination of four components: Errors and omissions, media liability, network security and privacy. If you need help deciphering which of those four components or combination of those four is right for your facility, let us know and we can help talk you through it. 

If you're looking for a full-on healthcare security partner, we have a team helping hospitals and clinics around the clock with all their security needs. To get started, let us know if you'd like an free Q&A call with our Virtual Security Officer. 

FREE Q&A Call With Our Virtual Security Officer  


Jim Tufts | Leadership Solutions Team Lead

Jim, along with the Leadership Solutions team, leads, guides healthcare providers, in user education, consulting, process improvement, disaster recovery planning, strategic IT planning and more. Jim is the author of the whitepaper, “Guide to the HIPAA Security Rule,” and is often found in healthcare association meetings, national conferences, or in a healthcare board room educating on protecting electronic patient health information.