It’s that Time of Year: One Last Vacation, Back to School and…the HIMSS Security Survey

I love this time of year; it’s still beach weather, but it gets cool at night. And, it’s back to school time! 

This year, added a new twist, er, should I say shake, rattle and roll!  The week my son started his second year at Virginia Tech, he was very near the epicenter of a decent size earthquake that we also felt strongly in DC and Maryland.  The week my daughter was supposed to start her junior year in high school, we had a hurricane that delayed school opening and kept our power off for four days.  Whew, thankfully, things are now back to normal.

On the security front at HIMSS, we’re doing some earth shattering things as well!  We continue to do work on key implementation areas with our HIMSS member volunteers – this year it’s cloud security, mobile security, risk assessment and patient identity integrity.  We have an exciting half-day Virtual Briefing planned on privacy and security topics in December (more to come on that)!

Right now, we continue our annual process of surveying security and IT professionals in today’s healthcare organizations with the goal of providing the industry – policy makers and implementers alike – key information on the state of security implementation and how that relates to our needs and our current regulatory environment.  This one-of-a-kind survey is aimed directly at those persons in healthcare organizations that perform or are responsible for security policies, activities and functions. 

The industry already knows that HIPAA requires security risk assessment and informed decisions on security controls.  In February 2009, new statutory requirements added from ARRA/HITECH have HHS continuing to roll out new privacy rules (e.g., Security Breach Notification, Accounting of Disclosures, etc.) 

And, in July 2010, the Centers for Medicare and Medicaid Services (CMS) published the final rules on the Electronic Health Record Incentive Program. In this set of final rules, CMS identified a core set of 14 meaningful use objectives in which eligible hospitals (EH) and 15 core meaningful use objectives in which eligible professionals (EP) need to focus to qualify for incentive funds provided through the new CMS Medicare and Medicaid incentive program.   

One of these rules specifically stipulates that EHs and EPs must protect electronic health information created or maintained by the electronic health record (EHR) by conducting or reviewing a security risk analysis. These organizations must also implement security updates as necessary and correct identified security deficiencies as part of its risk management process.

In this year’s Security Survey, we probe areas, such as risk assessment, security breach detection and reporting, logging, accounting of disclosures, identity theft, use of security technology, patient identity etc.  This survey is sure to, once again, result in a compelling final report this fall.