ONC issues privacy and security guidance

Compliance, tips, HIPAA and cybersecurity all included
By Erin McCann
10:45 AM
Share
Lock
During the HIMSS15 annual conference in Chicago last week, the Office of the National Coordinator for Health IT announced the release of a new and improved guide for securing electronic health information that hospitals, providers and business associates can integrate into their practice.

How to comply with MU security requirements, questions you should ask your health IT vendors and everything from cybersecurity and HIPAA to action plans and checklists are among the big highlights. 

 
Many useful tips, permitted use cases, compliance requirements and HIPAA explanations have been added since the last update, four years ago. 
 
 
The guide, as ONC Chief Privacy Officer Lucia Savage explained in a blog post, has been revised to include new "practical information" on topics such as cybersecurity, encryption, patient access and HIPAA privacy and security rules in action. The revised version also include information on compliance with the EHR Incentive Programs' security requirements. 
 
And for those looking for more guidance on what questions to ask your health IT vendors, look no further. 
 
The handbook "also offers suggested questions providers may want to ask their health IT developers or EHR companies so they can be confident that the systems they buy and use will meet their privacy and security needs," Savage explained.
 
Top of this list are questions such as: "How does my backup and recovery system work? How often do I test this recovery system? How much remote access will the health IT developer have to my system?" and "How much of the health IT developer's training covers privacy and security awareness, requirements and functions?"
 
 
According to a new Verizon data breach report that analyzed the healthcare vertical, physical theft or loss accounted for the lion's share, some 26 percent, of security incidents by pattern. Another 20 percent of security incidents were due to insider privilege and insider misuse; "miscellaneous errors" accounted for 19 percent. Other patterns noted in the report for the healthcare vertical were upticks in DoS and Web app attacks, at 9 percent and 7 percent respectively.