I recently interviewed hospital CIOs and other experts on the issue of healthcare data security. What they told me emphasized, for me, the wide-ranging challenges faced by hospitals in making sure that the patient data is secure. Those challenges come from both the regulatory changes under the Health Information Technology for Economic and Clinical health (HITECH) Act and the Health Insurance Portability and Accountability Act (HIPAA), as well as technology available with the wide range of portable electronic consumer devices now on the market.
Jim Elert, CIO of shred services of Trinity Health, Novi, Mich., says that healthcare security is much more than a matter of passwords and firewalls. When building a security program, it’s necessary to take a comprehensive view that takes into account governance, policies, and education, so that people who use the system understand it.
Jennings Aske, chief information security officer at Boston-based Partners Healthcare, takes a similar view. He cautions that healthcare organizations should not view data security as a regulatory driven matter, but one that is intrinsic to an organization’s business objectives. “You should be doing security because it is the right thing to do, not because the law says you have to do it,” he says.
Both experts say they have existing standards from the International Organization of Standards (ISO) and the National Institute of Standards and Technology (NIST) have provided guidance in putting together their security policies.
I think they make a good point. At a time when a proliferation of new regulations and technological devices are putting extra demands on hospital IS departments, it makes sense to rely on existing standards to ensure compliance. In a fast changing environment, NIST and ISO standards can at least help healthcare organizations in the right direction with regards to putting controls in place to protect their patient’s data.
More on the challenges on protecting patient data will appear in the October issue.