The rule requires affected individuals to be notified within 60 days of a data breach. HHS and local media also must be notified during that timeframe if a breach affects more than 500 individuals.
"More hospitals today are beginning to spend more time and more money on security," McMillan said during a presentation at the Safeguarding Health Information Conference in Washington. Public posting of large breaches, as well as compliance agreements that the HHS Office for Civil Rights imposes after such breaches, are having the desired effect, he believes. "No one wants Uncle Sam looking over their shoulder for three years."
Still, McMillan is amazed at how many organizations on the breach list did not encrypt laptops and other portable devices, and the list grows. "You have to ask yourself: How hard do you have to get hit before learning that lesson?"
Another good way to keep of the breach list is to use access logging and auditing software embedded in many information systems and available for others. McMillan cites a 2008 survey from database analysis firm HIMSS Analytics that showed 60 percent of hospitals use some form of automation to look at audit logs, but only 30 percent of these users audit in a pure automated fashion. The number of total users only rose to 64 percent last year as the breach notification rule was being developed and put into effect.
With hospitals often having hundreds of information systems, manually logging and auditing simply is not effective, McMillan says. These systems produce literally gigabytes of data weekly and the annual growth in log data is 15 percent to 20 percent.
Hospitals cite frustration with automated log/audit systems, such as lack of solutions for clinical applications and lack of proactive solutions, and these are legitimate gripes, according to McMillan. In addition, most existing log/audit systems don't have a field to note why a person accessed a system, a requirement under the HITECH Act.
Further, identity management-being able to identify who accessed a system, when and for what purpose-will be a major challenge in complying with the Office for Civil Rights' forthcoming rule on accounting for disclosures, as well as EHR certification requirements and breach notification, he contends.
Use of log data can assist in detecting and preventing unauthorized access and meeting the "checklist" requirements of regulatory compliance, actually ensuring regulatory compliance in actual programs, conducting forensic investigations, tracking suspicious behavior, information systems troubleshooting and network operations, McMillan explains.
"I want to be able to connect the dots."
Be the first to comment on this post using the section below.