In an earlier blog post from June, we touted the fact that healthcare providers may not be focusing on the right efforts in terms of information security. A recent article in eWeek noted that there's another dimension to the puzzle as well: patients themselves.
We've seen that the compliance landscape has gradually evolved since HIPAA compliance was first enacted, picking up some steam recently with HITECH and the meaningful use incentive program. Despite all of these incentives, though, only 40 percent of patients believe that EHRs will improve patient care, according to the eWeek article. This begs the question: why all the apprehension? Is it because patients distrust the ability of hospitals to secure their data as it moves online? It would certainly seem that way. After all, an estimated 58 percent of patients experience distrust of a provider following a breach.
In the eWeek article, John Moore, an analyst at Chilmark Research, mentions that "Consumers are very concerned about security of their PHI [protected health information] and have every right to be?This industry has an atrocious record when it comes to securing PHI, and thankfully, the feds are finally getting serious about enforcement."
How to Prepare for Future HIPAA Compliant Meaningful Use Audits and Data Sharing Initiatives
As we mentioned in the earlier blog, hospitals need to include enabling endpoint access security and encryption, developing a monitoring and information security mitigation plan, and implementing a mobile device security strategy as part of their overall plan.
While the compliance enforcement and incentives may be an intial "carrot" to drive more providers to connect EHRs and begin conducting security risk assessments, a security program that includes these measures, plus mitigation measures such as IR (incident response) and forensics, will not only provide scalability to address future compliance audits, but will also pave the way for inevitable data sharing initiatives through such programs as Health Information Exchanges and Accountable Care Organizations. In information security, sometimes, there is an extreme focus on pursuing technology itself, but the industry should also keep patients satisfied, and that equates to having a solid security program.