Health organizations aren't meeting the security demands of HIPAA, partly because they push too much of the responsibility on their IT departments, experts on the law said during this week's HealthSec conference in Boston.
"You can't put it all in the hands of the IT department," said Lisa Gallagher, a security consultant affiliated with URAC, a Washington D.C.-based nonprofit that promotes health care quality through accreditation and certification programs. "We found organizations that relegated it to IT spent far too much money on technology that dealt with some issues but overlooked other tools that would have been useful."
Gallagher discussed the results of a report URAC released in April after reviewing the practices of hundreds of different health care organizations. It identified four key problems hurting the ability of organizations to meet HIPAA's security demands:
- Incomplete or inappropriately scoped risk analysis efforts.
- Inconsistent and poorly executed risk management strategies.
- Limited or faulty information system activity review.
- Ineffective security incident reporting and response.
"Organizations must be careful not to overly rely on technologists to make risk management assumption decisions without clear guidance and support from the business operations perspective," the report said. "While information security management is a business function that relies on technology savvy decision-makers and significant technologic investment to achieve many risk reduction goals, at its core, information security is not solely a technology problem."
The report added that "placing responsibility for the strategic vision and approach of the information security risk management program solely in the realm of IT tends to lead to a myopic technology-centric risk management strategy, to the exclusion of other control types and risk assumption strategies."
Gallagher discussed ways to improve the situation. "It is key that all staff be aware and involved in the process," she told conference goers. "No one person can sit in a room and do risk analysis. Every corner of the organization must be touched." In the end, she said, decisions must be made at the executive level.
She also recommended organizations audit implementation plans. "You need to audit how your staff is following procedure and why they're ignoring them when that is the case," Gallagher said.
Experts shared those sentiments during other seminars at the conference, put on by the MIS Training Institute.
"The business owners and system administrators have to be on the same page," said Maria Horton, a retired navy commander and former CIO for the National Naval Medical Center and president of Herndon, Va.-based EmeSec Inc. "You have to have the roundtable discussion. And you need to define security as part of management policy, not IT policy."
Chris Apgar, an independent consultant and former HIPAA compliance officer for Providence Health Plans, agreed. "To make a cultural change, collaboration is key," he said. "And it needs to be defined who is clearly responsible. You need to have that one person in charge."