1 / 10

HIT Policy Committee

HIT Policy Committee. Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009. Demystifying Standards Recommendations. Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products

yaholo
Download Presentation

HIT Policy Committee

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. HIT Policy Committee Report from HIT Standards Committee Privacy and Security Workgroup Dixie Baker, SAIC December 15, 2009

  2. Demystifying Standards Recommendations • Standards, certification criteria, and implementation guidance are intended for use in certifying EHR products • How these capabilities are used within a healthcare environment is based on an individual organization’s size, complexity, capabilities, technical infrastructure, risks and vulnerabilities, and available resources • Standards and certification criteria help assure that a “certified EHR product” provides the technical capabilities an organization will need in order to: • Comply with HIPAA and ARRA privacy and security provisions • Participate in the exchanges necessary to demonstrate “meaningful use”

  3. Demystifying 2011 Recommendations

  4. Demystifying 2011 Recommendations

  5. Demystifying 2011 Recommendations

  6. Security Hearing – November 19, 2009 • Security protection is foundational to “meaningful use” of electronic health records (EHRs) – essential for privacy protection, patient safety, and quality care • Hearing sought inputs from domain experts and health practitioners on potential issues, challenges, threats, and solutions around the securing of health information

  7. Hearing Panels • System Stability and Reliability • Challenges related to maintaining the stability and reliability of electronic health records (EHRs) in the face of natural and technological threats • Cybersecurity • Challenges related to maintaining the trustworthiness of EHRs and Health Information Exchanges (HIEs) in the face of cyber threats such as denial of service attacks, malicious software, and failures of internet infrastructure • Data Theft, Loss, and Misuse • Challenges involving accidental loss of data, data theft, extortion and sabotage, including criminal activities and other related areas • Building Trust • Issues and challenges related to building and maintaining trust in the health information technology ecosystem, and the impacts that real and perceived security weaknesses and failures exert on health organizations, individual providers, and consumers

  8. Key Messages for Policy Committee • Security awareness among healthcare organizations is low, and many organizations are not complying with HIPAA! HIMSS 2009 Survey found: • Fewer than half (47%) conduct annual risk assessments • 58% have no security personnel • 50% reported information security spending ≤3% • Days of tightly controlled perimeters are long gone – need to address distributed, mobile, wireless, and virtual resources, as well as computers embedded in FDA-regulated biomedical devices • Cyberthreats are real – and as a critical component of our national infrastructure, health care is targeted

  9. Key Messages (2) • Security plays major role in protecting patient safety • Data integrity protection to help ensure accuracy of patient records • Protection of safety-critical information (e.g., clinical guidelines) • Need for defense in depth – layered policy and protection • Need to continually monitor and measure security “outcomes” – effectiveness of security policies and mechanisms cannot be assumed • Use “evidence-based” security policies and practices • Today’s security is plagued with dogma – password rules are antiquated, PC security may not matter, file encryption ineffective

  10. Key Messages (3) • Need baseline policies and standards for: • Authorization • Authentication – identity proofing and authentication is foundational since all other security protection depends upon • Access Control • Role-based security is important – but roles vary across institutions, so creating common policy would be challenging • Audit trail • Audit logs from vendor systems may be insufficient to detect misuse

More Related