DALLAS - Healthcare organizations continue wrestling with HIPAA compliance issues, yet still face impending security regulation deadlines. Told they must implement specific provisions, many still question the rationale behind the U.S. Department of Health and Human Services (HHS) security requirements.
At the Healthcare Information and Management Systems Society (HIMMS) conference this week, Keith Fricke, data security administrator for the east region of Cleveland Clinic Health System, explained the necessity behind HIPAA's Security Rule.
Fricke's statistics revealed high levels of vulnerability facing networks. According to studies conducted by the U.S. Federal Trade Commission, identity theft and fraud increased by 149% between 2001 and 2003. Citing further evidence of the need for heightened security, he said that hospitals were rated the fourth-highest target for hackers in a 2002 survey.
Given the staggering numbers, Fricke concluded that there is an increasingly high level of risk associated with receiving healthcare in U.S. In addition, he said that the industry remains deficient in protecting private information.
"Healthcare lags far behind the financial industry in terms of protecting information," he said.
He advised that a successful means of obtaining organizational buy-in to security compliance efforts is to reinforce the reality that most healthcare workers are likely patients of the organizations in which they work, and accordingly, have a vested interest in securing their information.
Fricke listed today’s major information security threats as:
- Internet reconnaissance
- Viruses and worms
- Social engineering
- Wireless communication
- Mobile computing
Internet reconnaissance provides two types of targets: the opportunity target and the intentional target, he said. Opportunity targets are sought out by those randomly attempting to locate vulnerabilities, while intentional targets are sought by those with prior knowledge of network vulnerability.
Information on these network vulnerabilities is often placed on Web sites and used by individuals in different ways and for different purposes, according to Fricke. Likewise, virus and worm programs are developed and posted on the Web for multiple reasons.
Some viruses and worms are cleverly distributed through e-mails with intriguing subject lines requesting the recipient to visit different Web sites. Upon visiting the site, these malicious viruses or worms may invade a user's system and deploy functions such as keystroke logging, and subsequently transmit private information such as passwords, credit card numbers, and social security numbers back to a pre-determined location.
These are the types of nightmares HIPAA's Security Rule was intended to address.
Fricke illustrated the ease with which wireless-network invasion can be accomplished, using antenna boosters and do-it-yourself boosters from plans on the Internet. He recommended educating the workforce on threats to network security, as well as implementing several different types of antivirus software to defend against network vulnerabilities.
"Computers change all the time, and new viruses are being created on a daily basis. As healthcare organizations start driving remote access, the physical walls of the organizations begin to disappear," Fricke said. He emphasized that there is an industry responsibility to educate providers and patients on security threats existing today, in an effort to ensure information privacy and security.
Throughout his presentation, Fricke stressed the overarching need for information security.
"The HIPAA Security Rule helps ensure that healthcare organizations protect the confidentiality, integrity, and availability of electronic protected health information," he said. "Security enables the use of technology to deliver improved patient care. Security makes privacy possible."
By Kris Knight
AuntMinnie.com contributing writer
February 18, 2005
Related Reading
Seven-step approach offers help for HIPAA integration, February 14, 2005
A practical approach to HIPAA security compliance, February 10, 2005
HIPAA security: IHE guidelines help ensure compliance, November 26, 2004
HIPAA compliance encountering rocky road, August 30, 2004
Analysts offer advice on keeping HIPAA security compliance simple, March 12, 2004
Copyright © 2005 AuntMinnie.com