HIMSS 2014: The HighlightsHIPAA Audit Update, Medical Device Security Insights
As usual, this year's HIMSS Conference yielded plenty of news and insights on privacy and security issues. Highlights included new details about resumption of HIPAA compliance audits and groundbreaking discussions of key medical device security issues.
See Also: Creating a Culture of Security
During the show, the Department of Health and Human Services' Office for Civil Rights revealed plans to resume its HIPAA audit program, which has been on hiatus since OCR's pilot audit program wrapped up in 2012.
OCR is already zeroing in on 1,200 potential organizations to audit, including approximately 800 covered entities and 400 business associates.
This time around, OCR will be randomly auditing covered entities as well as business associates. The team at OCR is already zeroing in on 1,200 potential organizations to audit, including approximately 800 covered entities and 400 business associates. Those organizations will first receive a survey from OCR to confirm whether they're appropriate candidates for audits, Susan McAndrew, deputy director of the Office for Civil Rights, told me after a HIMSS session where she was a presenter. Not all 1,200 will likely face an actual audit, though, she admits. Those picked for the survey "is an oversupply," she says.
Medical Device Security
Another hot topic at HIMSS that got a lot more attention than in previous years is the security of medical devices.
An all-day pre-conference workshop I attended featured a variety of experts, including those from healthcare organizations, medical device manufacturers and the Food and Drug Administration. And the consensus was that all the stakeholders need to work together to improve cybersecurity practices, including risk assessments, to keep patients safe and health data protected.
Big Breach Lessons
Another theme that resonated was that the healthcare sector, as well as government regulators, needs to watch carefully for lessons that can be learned from big breaches in other sectors, including the Target Corp. incident.
"The fallout from the Target breach and other breach cases could make Congress look at new legislation" on how data security incidents are handled, Mac McMillan, CEO of security consulting firm CynergisTek, told me.
Meanwhile, officials at the Office of the National Coordinator for Health IT, which administers the HITECH Act incentive program for electronic health records, stressed the importance of secure data exchange among healthcare providers, including those using different EHR platforms. ONC is also on a mission to ensure that patients are engaged in their care, and that includes ensuring there's a way for healthcare organizations to securely capture pertinent information that's provided by the patients themselves.
"Health IT is really about people, not technology. It's about improving the lives of the American people," said Karen DeSalvo, M.D., ONC's new leader. "A lot of important healthcare is provided and not captured [in records]," she noted.
DeSalvo also stressed that accurately matching patients to the right records from multiple sources is a critical security, privacy and safety issue that needs to be tackled as healthcare moves toward nationwide health information exchange in the next three years.
By the time the 2015 HIMSS Conference rolls around next April in Chicago, there could be some new security and privacy guidelines. And we'll know more about the results of HIPAA audits. As a result, hopefully patients' data will be better protected.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.