Many healthcare organizations have a gap in how executives view their information security posture compared with what the information technology leaders <I>know</I> is the security posture. If this gap exists, it makes covered entities and business associates vulnerable to cyber attacks.

During a session at HIMSS16 on March 1, Brandon Barney, a security assessor at SecurityMetrics, which performs vulnerability assessment scans and other security services, hopes to give his audience a reality check.

Reality No. 1 is that even in the era of cyber attacks, too many organizations are too confident in their security posture, Barney says. “You are losing your patient data. People tell you their products make you secure.” But documenting processes and a stack of papers from attorneys demonstrating HIPAA compliance don’t mean an organization is secure.

When something bad happens, people start pointing fingers everywhere but at themselves, he adds. IT is telling executives and BAs about their true security posture, but too often the executives quit listening. “We are losing data because we don’t have the tools, processes or desire to protect data, and we don’t even know it.”

Consequently, Barney’s session will focus on where data is leaving to prioritize investments in time and money. Priority areas include assessing current controls, determining the likelihood of a breach, training, low-cost access controls for physical security, and keeping systems and applications up to date.

He’ll also discuss myths that are believed but actually diminish security, such as a firewall is sufficient to block intruders and protect a system. Another myth is believing that staff and clinicians are using unique logins for the EHR because it is required. “But every nurse is using the same login at the nurse stations,” he contends. Barney also knows of a major dental chain that until recently was not complying with HIPAA privacy and security rules because it had determined that HIPAA did not apply to the organization.

The lasting impression he wants to leave: “I want to show them the value of a good security posture by picking off small size chunks they can start doing today.”

Session 46: HIPAA Reality Check: The Gap Between Execs and IT, is scheduled on March 1 at 11:30 a.m. in Palazzo L.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access