Mac McMillan, CEO at information security and regulatory compliance firm CynergisTek Inc., sees the breach notification rule as quickly raising the awareness of hospitals to weaknesses in their data security.

"More hospitals today are beginning to spend more attention, more time and more money on security," McMillan said during a presentation at the Safeguarding Health Information Conference in Washington. Public posting of organizations that have experienced large breaches, as well as compliance agreements that the Department of Health and Human Services' Office for Civil Rights imposes after such breaches, are having the desired effect of raising the priority of security, he believes. "No one wants Uncle Sam looking over their shoulder for three years."

Still, McMillan is amazed at how many organizations on the breach list did not encrypt laptops and other portable devices, and the list grows. "You have to ask yourself: How hard do you have to get hit before learning that lesson?"

Another good way to keep of the breach list is to use access logging and auditing software that already is embedded in many information systems and available for others, McMillan contends. He cites a 2008 survey from database analysis firm HIMSS Analytics that showed 60 percent of hospitals use some form of automation to look at audit logs, but only 30 percent of these users audit in a pure automated fashion. The number of total users only rose to 64 percent last year as the breach notification rule was being developed and put into effect.

With hospitals often having hundreds of information systems, manually logging and auditing simply is not effective, McMillan says. These systems produce literally gigabytes of data weekly and the annual growth in log data is 15 to 20 percent.

Hospitals cite frustration with automated log/audit systems, such as lack of solutions for clinical applications and lack of proactive solutions, and these are legitimate gripes, according to McMillan. In addition, most existing log/audit systems don't have a field to note why a person accessed a system, which is a requirement under the HITECH Act.

Further, poor identity management--being able to identify who accessed a system, when and for what purpose--will be a major challenge in complying with the Office for Civil Rights' forthcoming rule on accounting for disclosures, as well as electronic health records certification requirements and breach notification, he contends.

Use of log data can assist in detecting and preventing unauthorized access, meeting the "checklist" requirements of regulatory compliance, actually ensuring regulatory compliance in actual programs, conducting forensic investigations, tracking suspicious behavior, information systems troubleshooting and network operations, McMillan explains. "I want to be able to connect the dots."

--Joseph Goedert


Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access