Staying Ahead of the Curve on Data Security | Healthcare Informatics Magazine | Health IT | Information Technology Skip to content Skip to navigation

Staying Ahead of the Curve on Data Security

September 29, 2010
by John Degaspari
| Reprints
Securing Patient Data in A Changing Healthcare Landscape


New requirements under the HITECH Act and HIPAA are proving to be game-changers when it comes to vendor relationships and breach reporting requirements. Meanwhile, health providers must cope with portable electronic devices that are gradually making their way into the workplace. Experts weigh in on what hospital systems need to do to protect their patient data.

Amid the sweeping healthcare regulatory reform measures that have been put into place over the past year, the responsibility of healthcare providers to protect the integrity and privacy of patient data has become more important than ever. Yet, for reasons that are partly regulatory and partly technological, the challenge of securing patient data has also become more challenging today than ever before.

As hospitals scramble to meet meaningful use requirements under the Health Information Technology for Economic and Clinical Health (HITECH) Act, they must also contend with more stringent reporting requirements. In addition, responsibilities of health provider business associates and subcontractors have been broadened under proposed rules, issued in July, that are designed to strengthen the Health Insurance Portability and Accountability Act (HIPAA). The proposed rulemaking would also expand an individual's rights to access their information and restrict certain types of disclosures of protected health information to health plans. In short, all entities with access to patient data now have more skin in the game.

In the technology arena, more data is on the move today, the result of the relentless waves of new handheld devices that clinicians often want to bring into the workplace. Meanwhile, the sheer volume of electronic data that is resulting from the transition to electronic records is requiring healthcare providers to rely more heavily on third-party vendors.


Given the volume of electronic patient data involved, it's perhaps not surprising that breaches are occurring. According to the Department of Health and Human Services’ Office of Civil Rights (OCR), 146 data breaches affecting 500 or more individuals occurred between Dec. 22, 2009 and July 28, 2010. The types of breaches encompass theft, loss, hacking, and improper disposal; and include both electronic data and paper records. To combat such data security violations in the future, experts interviewed for this article say hospitals must focus more attention on encryption, vetting of third-party business associates, and educational efforts to help clinicians recognize the importance of complying with their hospitals’ security measures.


CIOs charged with securing data in their organizations are finding that successful data security depends on top-down support and on a comprehensive strategy. It also helps to rely on an existing framework of standards for guidance, they say.

Jim Elert, CIO of shared services at the 47-facility Trinity Health, Novi, Mich., says that security is much more than a matter of passwords and firewalls. When building a security program, it's necessary to take a comprehensive view that accounts for governance, policies, and education, so that people who must use the system understand it, he says.

A similar view is expressed by Jennings Aske, chief information security officer at the Boston-based Partners Healthcare. He says healthcare organizations should not view security as primarily a regulatory-driven matter, but one that is intrinsic to meeting the organization's business objectives. “One of the big things in our organization, which I have preached since day one, is to stop chasing the law,” he says. “When organizations do something because it is regulatory-driven, they are missing the big picture. You should be doing security because it is the right thing to do, not because the law says you have to do it.”


Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.

Learn More



In David Scott's words, everyone needs to be a mini-Security Officer today. I think Mr. Scott is right: Most individuals and organizations enjoy Security largely as a matter of luck. Anyone else here reading I.T. WARS? I had to read parts of this book as part of my employee orientation at a new job. The book talks about a whole new culture as being necessary — an eCulture — for a true understanding of security, being that most identity/data breaches are due to simple human errors. It has great chapters on security, as well as risk, content management, project management, acceptable use, various plans and policies, and so on. Just Google IT WARS — check out a couple links down and read the interview with the author David Scott at Boston's Business Forum. (Full title is I.T. WARS: Managing the Business-Technology Weave in the New Millennium). For some free insight, check out his blog, "The Business-Technology Weave" — you can Google to it, or search on the site IT Knowledge Exchange which hosts it. "In the realm of risk, unmanaged possibilities become probabilities." Great stuff.