Skip to content Skip to navigation

Providing a Frontline of Defense for PHI

April 16, 2014
by Rajiv Leventhal
| Reprints
Security/privacy expert discusses the necessities to keeping healthcare organizations breach-free

A recent report from Redspin, Inc., a Carpinteria, Calif.-based provider of IT security assessments, revealed that in 2013, the number of protected health information (PHI) breaches were up 138 percent from 2012, with 199 incidents of breaches of PHI reported to the Department of Health and Human Services (HHS) impacting over 7 million patient records. The report, the fourth annual one from Redspin, found that nearly 30 million Americans have had their health information breached or inadvertently disclosed since 2009.

And when a security breach happens, the financial impact on healthcare organizations is often significant. According to The Ponemon Institute’s Fourth Annual Benchmark Study on Patient Privacy & Data Security, the average economic impact of data breaches over the past two years for the healthcare organizations represented in the study was $2 million—albeit that number is a decrease of almost $400,000, or 17 percent, from the previous year. That same study revealed that 90 percent of respondents had at least one data breach over the past two years, while 38 percent have had more than five data breaches in the same time period. Undoubtedly, increasing the security of patient records is an issue that can no longer be ignored.

As the rapidly-evolving healthcare industry faces increasing challenges to keeping PHI protected—including growing volumes of electronic health records (EHRs), new government regulations, and a more complex IT security landscape—there is a growing need to ensure knowledgeable and credentialed security and privacy practitioners are in place to protect this sensitive information. 

Enter (ISC) 2, a provider of security education and credentials to nearly 100,000 security professionals across the globe. (ISC)2  recently launched its first healthcare-specific credential: the HealthCare Information Security and Privacy Practitioner (HCISPP). Given increased regulation with the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH) around the security of PHI and widely reported data breaches in hospitals and the like, (ISC)2  officials said they felt the timing was right to bring to market a credential to ensure that healthcare information security professionals have the right skills and education to do their jobs. The HCISPP credential targets a whole new audience, the healthcare community.

Sarah Hendrickson, interim chief security officer at Children’s Medical Center in Dallas, Texas, was one (ISC)2 expert who was asked to define the HealthCare Information Security and Privacy Practitioner exam, and write the actual questions for the taker. In a recent conversation with Healthcare Informatics Assistant Editor Rajiv Leventhal, Hendrickson spoke further about the significance of this exam as it relates to health IT security, as well as strategies, challenges, and lessons learned from industry leaders when it comes to providing a frontline defense for protecting health information. Below are excerpts from that interview.

How does the HealthCare Information Security and Privacy Practitioner differ from previous security/privacy credentials?

 (ISC) 2 is looking to make sure to have more than just the security and privacy pieces involved. For example, I can say I work for the security department in my organization, but that might mean only doing one thing a day under the security umbrella. So I think this certification really is helpful because it’s looking across all these different domains, making sure you have healthcare, security, privacy, and IT backgrounds before you even sit down for the exam. It identifies the niche of the candidate for the healthcare environment rather than just being another generalized exam that you can leverage across any industry.

Sarah Hendrickson

For this exam, they’re looking at a broad audience of just about anyone who needs to have security and privacy in the healthcare industry for their job, including compliance officers, auditors, and privacy officers—it covers the gamut of anything that could be security and privacy, but is also specific to the healthcare industry. The exam is already live, and people are taking it, so it’s generating interest. When I look for candidates for healthcare roles, I want to make sure they understand the nuances around the data we’re trying to protect. To see a certification like this come forward is great.  I see this becoming the standard for healthcare credentialing.

Across the industry, has protecting data become more of a priority now in healthcare organizations?

Definitely. Looking back through the years, we had HIPAA come about in the late 1990s, and it was pretty silent until HITECH introduced safe-harbor provisions. Then, in the past five years, there has been much more clarity and legislation, whereas prior to that it was about industry best practices rather than a blueprint on how to maintain and achieve that compliance.