Subscribe by email
Healthcare institutions are working hard to map audit and compliance efforts throughout their organization–especially across critical applications and mainframe systems with legacy applications. All of this effort will result in more secure EHRs and improvements in patient privacy protections. But in a world of constrained resources, where should care providers focus the bulk of their improvements? Oftentimes, it comes down to priorities–the organizational objectives–that will drive the process.
As related in a recent whitepaper from Coalfire, Andrew Hicks shares the following distinctions:
“HIPAA and HITRUST assessments each share the common objective of safeguarding healthcare information, however the similarities end there. A HIPAA Security assessment will provide an organization reassurance that when all audit recommendations have been resolved, the organization will be compliant with the HIPAA requirements.
A HITRUST assessment and certification, on the other hand, takes a more risk-based approach, scaling the requirements to the risk characteristics of the organization and focusing on controls related to the leading causes of breaches in the healthcare industry. This approach also considers compliance with regulations such as HIPAA, allowing organizations to take a more holistic approach towards protecting sensitive information.”
(To access this whitepaper, look for “HIPAA versus HITRUST – FAQ” by Andrew Hicks, MBA, CISA, CCM, CRISC, HITRUST CSF Practitioner Director, Healthcare Practice Lead, Coalfire Systems, Inc. www.coalfire.com)
For leading healthcare institutions, checking the box for HIPAA compliance is often not enough. These organizations focus instead on addressing risks to patient information and potential security violations. In cases where the priority is protecting patient data and safeguarding access to EHRs (electronic health records) is paramount, the priority shifts to address risk across the organization.
In one of our recent engagements, a major care facility in the north east was seeking to understand access to patient records. Here are some of the things they wanted to be able to examine as part of their approach to risk:
• VIP record snooping
• Executive record snooping
• Patient / employee record snooping
• Family member and self -examination of records
• Neighbor record snooping
• Identity Theft
• Medical Identity Theft
• Areas of potential non-compliance with federal and state regulations
Monitoring for these indicators and correlating that data across multiple systems was well within Luminet’s capabilities. In addition to capturing EPIC, Kronos, Cerner, Meditech, and other log data, the Luminet solution was able to monitor the existing mainframe applications and correlate that information so that is alerted on suspicious activity in real-time.
Then, as part of a comprehensive risk approach, we were able to add visibility into the hospital’s accounting and payroll systems. Luminet’s ability to monitor Lawson and other accounting systems enabled a new level of visibility and added clarity to the financial operations side of the house. This benefit wasn’t available with other monitoring systems focused exclusively on EHR and patient data.
When considering whether to address HIPAA or HITRUST concerns, organizations would be well served to take a long view and invest in systems flexible enough to meet their present and future needs. A number of modern systems can address HIPAA, PCI-DSS, state regulations like SB 1386, Meaningful Use, and Accounting of Disclosure. But if it is time to make an investment, wouldn’t it be best to select a technology partner and a solution that can help address risk across all your critical systems?
