Privacy & Security: Never-ending Vigilance | Charlene Marietti | Healthcare Blogs Skip to content Skip to navigation

Privacy & Security: Never-ending Vigilance

May 13, 2011
by Charlene Marietti
| Reprints
Security strategies focus on reality of maintaining privacy of PHI

Federal rules and regulations, especially the HITECH Act (ARRA) with its enhanced set of HIPAA regulations, have focused increased amount of attention on implementing security measures that can maintain the integrity of personal health information (PHI).

But these regulations are not driving security strategies for progressive CIOs and CISOs. The rules are for the common good, but not the basis on which these leaders structure their data protection strategies say "Privacy and Security Issues" panelists at the Healthcare Informatics Executive Summit in San Francisco on May 12.

Jennings Aske, J.D., is proactive about security. If you build your infrastructure to adhere to national security standards, it will not be a problem to meet state and federal privacy mandates, says the chief information security officer of Partners HealthCare in Boston.

One aspect of maintaining the privacy of PHI is more difficult to control than security standards--and that is organizational culture. Most often, data breaches will occur because of staff members inappropriately accessing records.

Data breaches are inevitable, says Jim Elert, CIO, Shared Services, Trinity Health, Novi, Mich. Delving into who has control, where, and why, will uncover more gaps and leaks than is imaginable.

Snooping staff are not the only threat. Healthcare IT systems are notoriously weak in security. Whether that is the fault of the developer or that of purchasers lack of demand for stringent security measures is a moot point. There are many security shortcomings and huge development gaps, Elert notes.

Sharing the physician informaticist viewpoint was Joseph Bormel, M.D., chief medical officer and vice president for clinical strategy, QuadraMed, Reston, Va., who emphasized the importance of helping physicians understand the value of security to them and to their clinical care. Aske says he presents security measures to physicians as important to maintaining the integrity of clinical data.

Charlene Marietti, Jennings Aske, J.D., Jim Elert, Joseph Bormel, M.D. at the Privacy and Security Issues Breakout Session at the HCI Executive Summit.



Thanks for convening the Healthcare Informatics Executive Summit and moderating the Privacy and Security Session. Jennings Aske and Jim Elert both made it clear that, beyond the breaches, the range of privacy violations defy predictability. Multiple speakers at the Summit commented that we cannot hold control the entry of consumer devices into our facilities, with wifi, 3G/4G phones, hi-res cameras with strong optical zooms, and unexpected apps.
"Privacy" as we knew it is not sustainable. And as I shared with the audience, there was an implicit concept of "Process Privacy," where doctors' practices and reasoning were far from transparent. That, too, is changing. Lastly, as we move to more patient-centered care, patient behavior will be less private and more transparent, at least to care givers. Privacy may give way to accountability and vice versa. Although this isn't centrally a HCIT problem, privacy and privacy-reducing transparency are both impacted and care can be improved by these open discussions.