Information security continues to be influenced by various forces, including threats, regulations and fundamental changes in healthcare and information technologies. Many of these influences have been in place for the past few years. But their impact on information security is increasing and their relative importance is ultimately shifting for many healthcare organizations. Next year will be another busy one for those who are tasked with protecting confidential information.

Here’s how four security trends may play out in 2015:

HIPAA Enforcement

Looking back, 2014 will be known as the year when healthcare organizations took notice and realized the impact of being complacent regarding HIPAA Security compliance. Why? Because it was a pivotal year for enforcement. As of December 4, the total number of breaches on the Health and Human Services' (HHS) "wall of shame" topped 1,170. This equates to more than 31 million records being exposed since federal reporting was mandated in September 2009. While data breaches do not directly lead to fines, they do represent causes for HIPAA investigations. The HHS wall of shame clearly illustrates that a number of healthcare organizations still need to step up their security game, which is a bit shocking when you consider the HIPAA Security compliance deadline was set on April 2005. The steady stream of 2014 announcements surrounding HIPAA enforcement settlements foreshadows a deluge as OCR proactive audits and state enforcement programs become fully operational.

Prediction: HIPAA enforcement will cause more healthcare organizations to experience investigations and fines than in any previous year.

Meaningful Use Enforcement

Healthcare organizations that seek incentive payments for the meaningful use of electronic health records must conduct or review a risk assessment every year. This requirement is similar to the HIPAA security’s risk assessment implementation specification. However, meaningful use specifies an annual review whereas HIPAA does not specify the periodicity. Healthcare organizations continue to lack an effective, ongoing risk assessment process and are not consistently identifying internal and external threats and vulnerabilities -- or systematically implementing basic controls. One reason is the fact that there  is a general lack of understanding or appreciation that organizations should only attest for an EHR incentive program “after you have fulfilled the security risk assessment requirement and have documented your efforts” as stated in the Guide to Privacy and Security of Health Information. Falsely attesting to having performed a risk assessment or review is Medicare fraud and carries criminal penalties, whereas HIPAA criminal penalties only apply to the deliberate misuse of protected health information.

Prediction: CMS will recoup more meaningful use money from healthcare organizations than in any previous year as audits discover errors in attestation.

Budgeting

Most reportable data breaches represent security failures of some kind. They lead to investigations that assess the full breadth of HIPAA-related security measures, which include formal risk assessments. Healthcare organizations are still not practicing security fundamentals. They have fragmented security efforts that lack any type of formally integrated oversight, governance or alignment with other risk functions within the organization.  They have unassigned ownership and accountability over security and compliance requirements. As a result, they lack compliance with applicable security regulations, standards and requirements. These fundamental steps need to be addressed before audits pick up in 2015.

Prediction: Healthcare organizations will increase their budgeting for information security.

Cloud Computing

Cloud computing is here to stay and healthcare organizations will continue to pursue how best to use cloud services to address their needs. Healthcare organizations have also found that their users need ways to exchange information and cloud-based, file-sharing services are an easy but potentially uncontrolled way of doing so. File synchronization for mobile device backups and multi-device users create similar security concerns. Since there are many cloud-based solutions available, balancing the ease of use, integration and security can still prove to be a challenge.  Monitoring and managing data transfers and application access is imperative when it concerns cloud-based solutions and communication with the Internet.

Prediction: Healthcare organizations will increase their capabilities to support cloud computing in a secure manner.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access