HIPAA Compliance for Medical Practices
84.7K views | +20 today
HIPAA Compliance for Medical Practices
HIPAA Compliance and HIPAA Risk management Articles, Tips and Updates for Medical Practices and Physicians
Your new post is loading...
Your new post is loading...

Risks Growing, But Not InfoSec Budgets

Risks Growing, But Not InfoSec Budgets | HIPAA Compliance for Medical Practices | Scoop.it

The recent cyber-attack against Anthem Inc. that exposed personal information on 78.8 million individuals is just the latest siren that the healthcare threat landscape is becoming more menacing. But while cyberthreats are rising, budgets for information security are not at many healthcare organizations, according to our 2015 Healthcare Information Security Today survey.

Our survey, which was conducted in December and January, found that only 43 percent of healthcare organizations - including hospitals, delivery systems, clinics and payers - say their information security budgets will increase this year, with 31 percent reporting flat funding and 5 percent seeing a decrease. The remainder were uncertain.

 In the coming weeks, look for a webinar and detailed report on our survey. 

Other survey results suggest that many healthcare organizations aren't devoting enough resources to taking such basic security steps a making use of encryption.

For instance, our survey shows that only 56 percent of organizations are applying encryption for mobile devices, despite loss and theft of unencrypted computing devices being a top culprit in major health data breaches.

And even fewer organizations - 36 percent - apply encryption to servers and databases. Keep in mind that the Anthem database that was recently hacked was reportedly unencrypted.

VA Budget Plans

Although our survey results show most organizations have yet to ramp up security spending, I learned at a recent media briefing that the Department of Veterans Affairs plans to spend more on security - assuming Congress approves its budget.

VA CIO Steph Warren says the information security proposed budget for fiscal 2016, which begins Oct. 1, is $180.3 million - or 6 percent of its total IT budget - including $53 million for the VA's cybersecurity program. That's up from an enacted fiscal 2015 information security budget of $156 million, which included $45.5 million for cybersecurity.

Ramping up spending at the nation's largest healthcare provider is a wise move, given the growing sophistication of targeted attacks, as well as the proliferation of malware and suspicious e-mail that the VA is constantly defending itself against.

"Cybersecurity is a team sport," Warren says. "We've got dollars identified in the budget that are new tools or new processes, but [for] every single VA employee [especially] at the medical centers, a large part of the job is cyber support - doing activities and actions that are necessary to secure the enterprise." And thus, there are elements of cybersecurity spread throughout the VA's proposed IT budget, he adds.

Among efforts that are part of the VA's overall information security spending plans for fiscal 2016 are investments in tools and process improvements related incident management, anti-malware, domain protection and two-factor authentication.

"We continue to keep up with the threats - the threats keep growing," Warren says.

That's something that more private sector healthcare organizations need to remember too while plotting out their information security efforts for 2015 and beyond.

No comment yet.

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks

FTC's Edith Ramirez: Connected health devices create bevy of privacy risks | HIPAA Compliance for Medical Practices | Scoop.it

For much of 2014, the Federal Trade Commission made it a point to be a prominent voice regarding the protection of consumer health information. Last May, for instance, it published a report recommending that Congress force data brokers to be more transparent about how they use the personal information of consumers, including health information.

And in July, FTC Commissioner Julie Brill spoke about how consumers should be given more choices from developers when it comes to data sharing by smartphone apps gathering health information.

That trend continued Tuesday at the International Consumer Electronics Show in Las Vegas, where FTC Chairwoman Edith Ramirez spoke about privacy protection, including for health data. Ramirez noted, for instance, that while the Internet of Things has the potential to improve global health, the risks are massive.

"Connected devices that provide increased convenience and improve health services are also collecting, transmitting, storing and often sharing vast amounts of consumer data, some of it highly personal, thereby creating a number of privacy risks," Ramirez said. "These risks to privacy and security undermine consumer trust."

Ramirez outlined three challenges to consumer privacy presented by the Internet of Things:

  • Ubiquitous data collection
  • Unexpected data use resulting in adverse consequences
  • Increased security risks

Additionally, she said that technology developers must take three steps to ensure consumer privacy:

  • Adopt "security by design"
  • Engage in data minimization
  • Boost transparency and offer consumers choices for data usage

"[T]he risks that unauthorized access create intensify as we adopt more and more devices linked to our physical safety, such as our cars, medical care and homes," Ramirez said.

Members of the House Committee on Oversight and Government Reform questioned the FTC's health data and cybersecurity authority at a hearing last summer. Committee Chairman Darrell Issa (R-Calif.) said that safeguards are needed to guide the FTC's processes in determining entities subject to security enforcement.

Last January, the agency ruled that entities covered under the Health Insurance Portability and Accountability Act may also be subject to security enforcement by the FTC.

No comment yet.