ONC's New Cybersecurity FocusPrivacy Chief Joy Pritts Discusses Emerging Threats
In the five years since the HITECH Act was signed into law, there have been some major successes and disappointments concerning health information security and privacy, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.
"One of the key elements from a privacy perspective is a patient's access to their own health information, and how [HITECH] clarified that the patient has the right to get electronic access ...," she says in an interview with Information Security Media Group (transcript below).
"From more of the confidentiality perspective, probably the biggest impact that the law has had is broadening the protections of the information to those who are business associates," she says. "It's a really important development given where we're all going with health information technology and exchange, and the new modes of sharing this information."
What's disappointing, Pritts says, is how little the industry knows about the privacy and security provisions of the HITECH Act, "and how much work there is to be done in order to bring everybody up to speed."
In the interview, Pritts also discusses:
- Why getting the healthcare sector prepared for emerging cybersecurity threats is a focus for ONC;
- The status of HHS work on the long-awaited HIPAA accounting of disclosures rule;
- Efforts at HHS to address healthcare fraud and medical identity theft involving electronic health records.
Pritts joined ONC, a unit of the Department of Health and Human Services, in 2010 as the office's first chief privacy officer. In that role, Pritts provides advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC's privacy and security programs under HITECH. Pritts also works closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute, Georgetown University.
ONC's Privacy, Security Priorities
MARIANNE KOLBASUK MCGEE: What are ONC's health data privacy and security priorities for this year? What ONC's privacy and security initiatives should we watch for?
JOY PRITTS: We've been working a lot in the last few months with the White House on the cybersecurity framework initiative. For those who aren't familiar with that, about a year ago the White House issued an executive order dealing with cybersecurity and critical infrastructure. Part of that critical infrastructure of course includes health and public health. So there have been a lot of efforts made to include healthcare so that we recognize the risks we are facing, and can take some proactive steps against them. That is not an area we've really focused on so much in the past. We recognize from a lot of the breach notification to date [that] most of the breaches that have been reported have been more mundane things such as losing laptops, theft, and things of that nature. But we do see that the future may be in cyber hacking. It's almost bound to increase as we are moving forward, so we're trying to take a proactive step on that and bring the healthcare sector up-to-date as they implement, if not before.
Health Data Privacy and Security
MCGEE: What do you think are the nation's biggest achievements since then, when it comes to health data privacy and security?
PRITTS: There are a number of really major achievements since the HITECH Act was passed. I would say one of the key elements from a privacy perspective is a patient's access to their own health information, and how that was clarified that the patient has the right to get electronic access if it is a reasonable thing to ask for. From more of the confidentiality perspective, probably the biggest impact that law has had, is broadening the protections of the information to those who are business associates. It's a really important development given where we're all going with health information technology and exchange, and the new modes of sharing this information.
MCGEE: What are the disappointments?
PRITTS: It's still a little disappointing to know how little industry knows about the rule and law, and how much work there is to be done in order to bring everybody up to speed.
Keeping Patient Data Private
MCGEE: What are the biggest challenges organizations are having in keeping patient data private and secure do you think?
PRITTS: I think mobile devices continue to be a major concern among all healthcare providers. They are not really set up for how [to] manage those devices; they are cool, fun, and also can be not [so] secure depending on how you set them up. I think that is an area that is really challenging for many.
Covered Entities and BAs
MCGEE: Overall, how would you rate the state of information security in healthcare with covered entities and the BA's in 2014?
PRITTS: I think that one of the trends we've seen is that many of these organizations are now recognizing how important security is. That is a wonderful trend, because it's now on the radar screen as something that really needs to be paid attention to. I think it is difficult for many because they are busy doing all sorts of other things with IT, and keeping this as a priority as you move along is a difficult thing to do, but necessary.
MCGEE: What efforts are under way at ONC or HHS in general to address healthcare fraud or medical ID theft, especially that involving EHRs?
PRITTS: One of the reasons why security is being built into some of the certification standards for EHRs is to try to mitigate against some of these risks. We also have been working very much over the last couple years on authentication issues and trying to move the industry to two-factor authentication, which would help better secure information. Yet another area that we're trying to get people to focus on is what we call 'privacy by design,' so that as people are building their systems they're not storing your social security number, name, and date of birth. All of that information in one place makes it very accessible and tempting for people to steal for fraud purposes.
MCGEE: What is the status on ONC pilots to test whether EHR can support implementing a proposal for accounting of disclosures?
PRITTS: We did receive those recommendations from the HIT Policy Committee. As you know, all federal advisory committee recommendations, that is all they are, recommendations. So we are examining whether pilots would be a great idea, [and] if so what they would focus on. There is a lot of material in those hearings as to some of the technology that was being described, and where there might be issues. Another thing to factor into some of this is, there is this thing called the 'budget cycle,' and so federal budget is usually determined a year or so in advance. Those are some of the things that we have to consider when we're looking at recommendations like this.
MCGEE: When do you think accounting of disclosures and access reports might come up again?
PRITTS: It is under consideration. ... It is being discussed, it's not been put on a backburner at all.
Emerging Cybersecurity Threats for Healthcare
MCGEE: What would you say overall are the biggest emerging cybersecurity threats facing the healthcare sector?
PRITTS: There is a lot that keeps me up at night. I do think that mobile continues to be an area of great concern for us, because it is just so convenient for people. Having the data availability is another issue that is a great concern for us, because as you move into more cloud-based services and things of that nature, people are assuming that it's more available to them. We've seen in a couple of instances where that hasn't quite been the case, so that's another area that people need to recognize, there are plus and minuses [in] all of these new directions that we're headed.
Additional Summit Insight:
Hear from more industry influencers, earn CPE credits, and network with leaders of technology at our global events. Learn more at our Fraud & Breach Prevention Events site.