Let compliance lead the way in preventing healthcare data breaches
Commentary - Healthcare security breaches rocked headlines in 2009, and healthcare organizations are ringing in the New Year with high anxiety regarding HIPAA compliance. The recently passed Health Information Technology for Economic and Clinical Health (HITECH) Act imposes new, more stringent regulatory and security requirements to HIPAA privacy rules and increased penalties for violations. The act puts significantly increased demands on health care organizations in the areas of audit and notification. Organizations will also be impacted by new requirements for on-demand patient audit requests of who had access to health records, notification of potentially compromised patients and the provision of reports detailing the origin and nature of any given incident.
Compliance will be particularly difficult for organizations without strong access governance processes and policies in place to provide a historical audit trail of who has access to, and who did access health records. For that reason, many organizations are already starting to rethink their processes.
Considering the dramatic increase in the sheer number of breaches and theft of personal health records last year alone, organizations should view the HITECH Act as an opportunity to implement an access governance framework to improve and modernize how patient information is stored and accessed through electronic health records in 2010.
What’s at risk
High-profile HIPAA violations became increasingly prevalent last year, and as public privacy concerns grow more widespread, HITECH Act violations will take center stage this year.
Fines can be substantial – up to $250,000 – and criminal penalties can also be imposed. Violations can also impart significant reputation and brand damage. Several staff members at the University of California Los Angeles, for example, significantly damaged the reputation of the university when they took advantage of inappropriate access to leak information on celebrities to the press, causing serious HIPAA violations.
One area that will continue to lead to a significant number of audit findings for health care organizations in 2010 is access change management, and unfortunately, new stringent HITECH Act guidelines will make it even more challenging from a controls perspective. Organizations will need to shore up processes for governing requests for initial access and changes to existing access due to transfers and terminations.
Health care organizations often struggle to maintain a consistent approach for governing user access and, as a result, may have an incomplete or fragmented posture of compliance throughout the organization. This is partly due to the sheer volume of change and churn to the user constituent population. User relationships and roles are constantly changing as employees, contractors, consultants and partners move into and out of different job functions and operational groups.
Today’s health care systems are also often fragmented and widely diverse, with patient data being stored in multiple systems and locations. The trend for outsourcing patient data is usually stored outside of the organization with outsourced providers. This fragmentation and distribution further complicates the ability for an IT team to gain a clear picture of the access reality and ensure that entitlements are governed accordingly.
Change will become so overwhelming for these organizations that processes for governing access will be unable to keep up with reality. Organizations typically do an adequate job controlling initial access requests, but when users transfer or terminate their relationship with the organization, it’s more problematic as most organizations lack a standardized process for dealing with access change. The result can be orphaned accounts, segregation of duties violations and other compliance related problems.
Certification and review are the standard safeguards against access violations from poor change management. However, many of today’s health care organizations rely on manual processes, laden with error.
Minimizing risk with compliance
To become HIPAA compliant and also ensure compliance with the new requirements brought on by the HITECH Act, organizations will need to replace many of these manual processes. It’s an excellent opportunity to proactively implement an access governance framework that leverages the overlap with other regulatory obligations like Sarbanes Oxley.
Such a framework provides a comprehensive view of enterprise access reality – understanding who has what access to what information resources and what can they do at a fine grained entitlement level. It will also pay dividends both in terms of operational and compliance risk reduction as well as in a reduction of the operational overhead required with ongoing compliance processes.
biography
Brian Cleary is vice president of products and marketing at Aveksa, the market-leading provider of enterprise access governance solutions. He can be reached at bcleary@aveksa.com.