HIPAA changes force healthcare to improve data flow - 0 views
searchsecurity.techtarget.com/...94698,sid14_gci1349580,00.html
Privacy Security Electronic HealthCare Records Risk
shared by Karl Wabst on 21 Apr 09
- No Cached
-
Karl Wabst on 21 Apr 09The recent U.S. stimulus bill includes $18 billion to catapult the health industry toward the world of electronic health records. This is sure to light a fire under every hungry security vendor to position itself as the essential product or service necessary to achieve HIPAA compliance. It should also motivate healthcare IT professionals to learn where their sensitive data is located and how it flows. To be sure, with federal money allocated through 2014 for the task of modernizing the healthcare industry there will be many consultant and vendor businesses that will thrive on stimulus money. Healthcare is unique in that storage of electronic health records is highly distributed between primary care physicians, specialist doctors, hospitals, and insurance/HMO organizations. Information has to be efficiently shared among these entities with great sensitivity towards patient privacy and legitimate claims processing. Patients want to prevent over zealous employers from performing unauthorized background checks on medical history; claim processors want to prevent paying fraudulent claims arising from targeted patient identity theft. The bill has two provisions which turn this into a tremendously challenging plan, and a daunting task for securing patient data: * Citizens will have the right to monitor and control use of their own health data. This implies a large centralized identity and access control service, or perhaps a federated network of patient registration directories. Authenticated users will be able to reach into the network of health databases audit use of their data and payment history. * Health organizations suffering loss of more than 500 patient records must publicly disclose the breach, starting with postings on the government's Health and Human Services website. This allows related organizations to trace the impact of the breach throughout the healthcare network, but care must be taken not to disclose vulnerabilities in the system to intruders