TRENDING:

The Security Scrutinizer with Howard Anderson

Another Reason to Prevent Breaches

Attorney Warns of an 'Insurance Crisis' Howard Anderson (ismg_editor) • June 13, 2011    

If you need one more reason to take additional steps to prevent health information breaches, here's something to consider. An attorney argues that if breaches, and their high costs, are not brought under control, "I think where we are headed is to an insurance crisis."

Speaking at the Health Privacy Summit June 13 in Washington, Jim Pyles, principal at the healthcare law firm Powers, Pyles, Sutter & Verville, argued that liability insurers will think twice about covering healthcare organizations for the risks involved in using information technology if the costs of dealing with breaches continue to grow.

The Department of Health and Human Services' Office for Civil Rights reports that since the HITECH Act breach notification rule took effect in September 2009, there have been 288 major health information breaches affecting a total of almost 11 million individuals.

Speaking on the same panel, Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, noted that roughly two-thirds of these major breaches stemmed from the loss or theft of portable devices or media.

"There is a tremendous education gap," she stressed. Although electronic health records systems contain numerous security features, including encryption, "the protections are only as good as the implementation," she noted. "And that's where we see a lot of the problems." Security technology must be supported by policies and procedures, "and that's another area of weakness," she added.

The bottom line? If it's been a while since you reviewed your organization's privacy and security policies and procedures, conducted a risk assessment took action to mitigate risks and educated your staff about privacy protections, don't delay. Otherwise, you could wind up on the federal "wall of shame" and face the high costs of dealing with the aftermath of a breach.

Clear Privacy Guidelines Needed

Pyles also contended that HIPAA, the HITECH Act and other regulations designed to protect patient privacy are far too complex. "We need a simple set of privacy standards that are understandable by patients and understandable by those who have to comply with them."

And Gallagher said that physicians and other providers are uncomfortable educating patients about their privacy rights because of their own lack of understanding.

The time has come for federal regulators to work together to articulate a clear set of easily understandable health information privacy standards and then educate providers about how to comply - as well as how to keep their patients well-informed about their rights.



About the Author

Howard Anderson

Howard Anderson

Former News Editor, ISMG

Anderson was news editor of Information Security Media Group and founding editor of HealthcareInfoSecurity and DataBreachToday. He has more than 40 years of journalism experience, with a focus on healthcare information technology issues. Before launching HealthcareInfoSecurity, he served as founding editor of Health Data Management magazine, where he worked for 17 years, and he served in leadership roles at several other healthcare magazines and newspapers.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Properly Vetting AI Before It's Deployed in Healthcare
Properly Vetting AI Before It's Deployed in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.in, you agree to our use of cookies.