Healthcare Information Security Podcast

Faced with the threat of much stiffer penalties for data security violations and ramped-up enforcement at the federal and state levels, many hospitals are just starting to pay serious attention to security, contends consultant Kate Borten. But they must go far beyond investing in new technologies to develop comprehensive security strategies and actually carry them out, she says. In an interview, Borten, president of the Marblehead Group, predicts that civil suits by state attorneys general, like one recently filed in Connecticut, will grab the attention of hospitals and physician groups of all sizes, hopefully triggering action on data security. The HITECH Act gave state attorneys general the power to file civil suits on healthcare data security violations. Patients will be much more likely to file complaints with a state official than they would with a federal agency, she contends, predicting a ramping up of security cases. Among Borten's tips for hospitals playing catch-up on data security are: Hire a data security team, not just a chief information security officer. "One FTE alone isn't enough." Conduct an annual risk analysis and build a data security strategy. Prepare a detailed plan on how to report data security breaches. "It's similar to preparing for a computer system disaster." Encrypt all information transmitted over the Internet or a wireless network as well as data stored on portable devices.

Interview with Lydia Parnes, Former Director of the FTC's Bureau of Consumer Protection Privacy, data security and consumer protection - three of the top concerns to organizations everywhere. And they are three of the topics nearest and dearest to Lydia Parnes, former director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection. Now a partner in the Washington, D.C. office of Wilson Sonsini Goodrich & Rosati, Parnes works with organizations to ensure their privacy and security policies. In an exclusive interview, Parnes discusses: Current trends in privacy, data security and consumer protection; The greatest challenges to organizations entrusted with ensuring these protective measures; How the public and private sectors are likely to work together to tackle these challenges this year. Parnes' current practice focuses on privacy, data security, Internet advertising, and general advertising and marketing practices. The former director of the Bureau of Consumer Protection (BCP) at the Federal Trade Commission (FTC), she is a highly regarded expert in the field of consumer protection. As director of the BCP, one of the FTC's two law-enforcement bureaus and the nation's only federal consumer-protection agency, Parnes oversaw the enforcement of a wide range of laws designed to prevent fraud and deception in the commercial marketplace, safeguard consumer privacy, and provide consumers with important information about the goods and services they purchase. She also represented the bureau in international settings and on Capitol Hill in connection with such high-profile issues as information security and privacy, Internet advertising, and identity theft. In addition, Lydia has extensive experience with the application of consumer-protection principles to the technology market. In 2006, she served as the deputy executive director of the President's Task Force on Identity Theft, coordinating the efforts of 17 federal agencies in developing a national strategic plan to combat identity theft in both the private and public sectors.

Interview with Lydia Parnes, Former Director of the FTC's Bureau of Consumer Protection Privacy, data security and consumer protection - three of the top concerns to organizations everywhere. And they are three of the topics nearest and dearest to Lydia Parnes, former director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection. Now a partner in the Washington, D.C. office of Wilson Sonsini Goodrich & Rosati, Parnes works with organizations to ensure their privacy and security policies. In an exclusive interview, Parnes discusses: Current trends in privacy, data security and consumer protection; The greatest challenges to organizations entrusted with ensuring these protective measures; How the public and private sectors are likely to work together to tackle these challenges this year. Parnes' current practice focuses on privacy, data security, Internet advertising, and general advertising and marketing practices. The former director of the Bureau of Consumer Protection (BCP) at the Federal Trade Commission (FTC), she is a highly regarded expert in the field of consumer protection. As director of the BCP, one of the FTC's two law-enforcement bureaus and the nation's only federal consumer-protection agency, Parnes oversaw the enforcement of a wide range of laws designed to prevent fraud and deception in the commercial marketplace, safeguard consumer privacy, and provide consumers with important information about the goods and services they purchase. She also represented the bureau in international settings and on Capitol Hill in connection with such high-profile issues as information security and privacy, Internet advertising, and identity theft. In addition, Lydia has extensive experience with the application of consumer-protection principles to the technology market. In 2006, she served as the deputy executive director of the President's Task Force on Identity Theft, coordinating the efforts of 17 federal agencies in developing a national strategic plan to combat identity theft in both the private and public sectors.

Interview with Lydia Parnes, Former Director of the FTC's Bureau of Consumer Protection Privacy, data security and consumer protection - three of the top concerns to organizations everywhere. And they are three of the topics nearest and dearest to Lydia Parnes, former director of the Federal Trade Commission's (FTC) Bureau of Consumer Protection. Now a partner in the Washington, D.C. office of Wilson Sonsini Goodrich & Rosati, Parnes works with organizations to ensure their privacy and security policies. In an exclusive interview, Parnes discusses: Current trends in privacy, data security and consumer protection; The greatest challenges to organizations entrusted with ensuring these protective measures; How the public and private sectors are likely to work together to tackle these challenges this year. Parnes' current practice focuses on privacy, data security, Internet advertising, and general advertising and marketing practices. The former director of the Bureau of Consumer Protection (BCP) at the Federal Trade Commission (FTC), she is a highly regarded expert in the field of consumer protection. As director of the BCP, one of the FTC's two law-enforcement bureaus and the nation's only federal consumer-protection agency, Parnes oversaw the enforcement of a wide range of laws designed to prevent fraud and deception in the commercial marketplace, safeguard consumer privacy, and provide consumers with important information about the goods and services they purchase. She also represented the bureau in international settings and on Capitol Hill in connection with such high-profile issues as information security and privacy, Internet advertising, and identity theft. In addition, Lydia has extensive experience with the application of consumer-protection principles to the technology market. In 2006, she served as the deputy executive director of the President's Task Force on Identity Theft, coordinating the efforts of 17 federal agencies in developing a national strategic plan to combat identity theft in both the private and public sectors.

Hospitals and other healthcare organizations need to identify data security breaches "in a much more systematic way" to help ensure the privacy of personal information. That's the advice of Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society. Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments. A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate. As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resources are applied to security," she adds. In addition, she notes that HIMSS advocates widespread use of data encryption as a "best practice."

Hospitals and other healthcare organizations need to identify data security breaches "in a much more systematic way" to help ensure the privacy of personal information. That's the advice of Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society. Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments. A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate. As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resources are applied to security," she adds. In addition, she notes that HIMSS advocates widespread use of data encryption as a "best practice."

Hospitals and other healthcare organizations need to identify data security breaches "in a much more systematic way" to help ensure the privacy of personal information. That's the advice of Lisa Gallagher, senior director for privacy and security at the Healthcare Information and Management Systems Society. Gallagher, one of the nation's leading healthcare data security experts, advises hospitals to "go beyond compliance" with federal regulations to "implement an active security risk management process." She also urges hospitals to allocate adequate resources to security so they can address potential threats identified in their risk assessments. A recent survey by Chicago-based HIMSS found that most hospitals spend less than 3% of their IT budget on security, a level Gallagher calls inadequate. As the federal government provides billions of dollars in funding for electronic health records through Medicare and Medicaid incentive payments, the government and the industry "need to make sure adequate resources are applied to security," she adds. In addition, she notes that HIMSS advocates widespread use of data encryption as a "best practice."

The single most important step hospitals should take to comply with the HITECH Act is to retrain all employees, physicians and even volunteers on how to maintain the privacy and security of personal health information. That's the advice of Dan Rode, a regulatory expert at the American Health Information Management Association. In an interview, Rode also advises hospitals preparing for HITECH compliance to develop a detailed plan for reporting data security breaches and make sure that their business associates have similar plans in place. And he makes a strong case for greatly expanded use of encryption of electronic health records and other clinical information. Rode, vice president for policy and government relations, is a leader in the standards arena. He was among those who drafted the data standards that ultimately were incorporated in the Health Insurance Portability and Accountability Act.

The single most important step hospitals should take to comply with the HITECH Act is to retrain all employees, physicians and even volunteers on how to maintain the privacy and security of personal health information. That's the advice of Dan Rode, a regulatory expert at the American Health Information Management Association. In an interview, Rode also advises hospitals preparing for HITECH compliance to develop a detailed plan for reporting data security breaches and make sure that their business associates have similar plans in place. And he makes a strong case for greatly expanded use of encryption of electronic health records and other clinical information. Rode, vice president for policy and government relations, is a leader in the standards arena. He was among those who drafted the data standards that ultimately were incorporated in the Health Insurance Portability and Accountability Act.

The single most important step hospitals should take to comply with the HITECH Act is to retrain all employees, physicians and even volunteers on how to maintain the privacy and security of personal health information. That's the advice of Dan Rode, a regulatory expert at the American Health Information Management Association. In an interview, Rode also advises hospitals preparing for HITECH compliance to develop a detailed plan for reporting data security breaches and make sure that their business associates have similar plans in place. And he makes a strong case for greatly expanded use of encryption of electronic health records and other clinical information. Rode, vice president for policy and government relations, is a leader in the standards arena. He was among those who drafted the data standards that ultimately were incorporated in the Health Insurance Portability and Accountability Act.

Completing security risk assessments for a long list of applications and providing data security training to its entire staff are two of the top priorities for 2010 at Johns Hopkins Medicine, one of the nation's largest academic medical centers. In an interview, Stephanie Reel, vice president for information services for the Baltimore-based organization, spells out a top 10 list of data security priorities. The list also includes a massive effort to deploy new multi-factor authentication and broader use of encrypted e-mail. Reel is one of the nation's longest serving CIOs, with nearly 20 years of experience at Johns Hopkins. In addition to heading I.T. for the health system, she serves as vice provost for I.T. for all of Johns Hopkins University.

Completing security risk assessments for a long list of applications and providing data security training to its entire staff are two of the top priorities for 2010 at Johns Hopkins Medicine, one of the nation's largest academic medical centers. In an interview, Stephanie Reel, vice president for information services for the Baltimore-based organization, spells out a top 10 list of data security priorities. The list also includes a massive effort to deploy new multi-factor authentication and broader use of encrypted e-mail. Reel is one of the nation's longest serving CIOs, with nearly 20 years of experience at Johns Hopkins. In addition to heading I.T. for the health system, she serves as vice provost for I.T. for all of Johns Hopkins University.

Completing security risk assessments for a long list of applications and providing data security training to its entire staff are two of the top priorities for 2010 at Johns Hopkins Medicine, one of the nation's largest academic medical centers. In an interview, Stephanie Reel, vice president for information services for the Baltimore-based organization, spells out a top 10 list of data security priorities. The list also includes a massive effort to deploy new multi-factor authentication and broader use of encrypted e-mail. Reel is one of the nation's longest serving CIOs, with nearly 20 years of experience at Johns Hopkins. In addition to heading I.T. for the health system, she serves as vice provost for I.T. for all of Johns Hopkins University.

To make sure their information technology strategies adequately address the needs of physicians, many hospitals have designated a doctor to serve as chief medical informatics officer. These physicians are working closely with CIOs, CSOs and others to help select and implement I.T., including technologies to keep clinical information secure. In this interview, William Bria, M.D., chief medical informatics officer at Shriners Hospitals for Children, describes how the organization's 22 charity care hospitals are striving to provide doctors with easy access to a wealth of clinical information while minimizing the risk of privacy violations. Dr. Bria, founder and president of the Association of Medical Directors of Information Systems (AMDIS), also describes in detail the organization's use of: Two-factor authentication, including smart cards, at the hospitals; An additional authentication layer (codes generated by hardware tokens) for physicians accessing systems remotely; and New secure messaging technology that automatically encrypts e-mails detected to contain private information.

To make sure their information technology strategies adequately address the needs of physicians, many hospitals have designated a doctor to serve as chief medical informatics officer. These physicians are working closely with CIOs, CSOs and others to help select and implement I.T., including technologies to keep clinical information secure. In this interview, William Bria, M.D., chief medical informatics officer at Shriners Hospitals for Children, describes how the organization's 22 charity care hospitals are striving to provide doctors with easy access to a wealth of clinical information while minimizing the risk of privacy violations. Dr. Bria, founder and president of the Association of Medical Directors of Information Systems (AMDIS), also describes in detail the organization's use of: Two-factor authentication, including smart cards, at the hospitals; An additional authentication layer (codes generated by hardware tokens) for physicians accessing systems remotely; and New secure messaging technology that automatically encrypts e-mails detected to contain private information.