The Security Scrutinizer with Howard Anderson

Security Pros Discuss Top Challenges

Creating Practical Privacy, Security Policies Can Be Difficult
Security Pros Discuss Top Challenges

Attendees at the privacy and security workshop Feb. 20 talked about a number of issues they're taking on, including:

  • Composing a comprehensive, yet practical, set of privacy and security policies and procedures. Creating pragmatic policies "is a very tough topic for the team that I'm on," one attendee said.
  • Determining how best to convey to patients the steps an organization is taking to protect the privacy and security of their electronic health records.
  • Figuring out whether a specific security incident constitutes a health information breach that must be reported to federal authorities and those affected.
  • Dealing with conflicting regulations in various states on obtaining patient consent to share their records.
  • Handling complex privacy issues that emerge when an employee is also a patient.
  • Creating a game plan for how to get ready for looming federal HIPAA compliance audits, which are mandated under the HITECH Act and may start later this year.

Other Security Risks

One workshop speaker, Terrell Herzig, UAB Health System's data security officer, pointed out some other issues that security professionals may be overlooking.

For example, he said they should make sure that outside firms hired to shred paper documents keep them secure every step of the way, and not leave them unattended while awaiting shredding. Plus, he encouraged workshop attendees to consider destroying unused storage media to help minimize risk. For example, UAB grinds up its unused hard drives using its own crushing equipment.

Also at the workshop, Lisa Gallagher, senior director of privacy and security at HIMSS, announced the association has developed an enhancement to its privacy and security tool kit with specific guidance for smaller organizations. The enhancements were developed in collaboration with the Medical Group Management Association.

One key challenge is figuring out whether a specific security incident constitutes a health information breach that must be reported. 

About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.