Top 5 videos from HIMSS17

Top 5 videos from HIMSS17

Healthcare execs and IT pros don’t always agree on privacy and security

Security analyst says that while many executives believe they are HIPAA-compliant few actually know what it means.
By Chris Nerney
11:31 AM

The Health Insurance Portability and Accountability Act requires certain healthcare organizations dealing with protected health information to implement stringent security measures to safeguard that data. Yet executives at many healthcare organizations are in the dark – sometimes willfully – regarding how compliant their covered entities are to HIPAA privacy and security rules, according to Brand Barney, a security analyst for SecurityMetrics.

Barney will be running a session at HIMSS16 in Las Vegas next week on the importance of gaining a realistic assessment of your organization’s ability to meet HIPAA compliance mandates.

[Also: 8 out of 10 mobile health apps open to HIPAA violations]

In his role at SecurityMetrics, Barney consults with companies and conducts audits on their data security and compliance.

“What I’m seeing in the industry is a massive gap between IT professionals and executives regarding HIPAA,” he said. “Most executives believe they are HIPAA-compliant, but few really even understand what HIPAA is. They don’t know what it does for them. They say, ‘I got sold an EMR, or my attorney handles my privacy, or my IT professional covers security.’”

That gap between perception and reality is where danger lies, Barney added.

“Patient data is being removed from your organization and you don’t even know,” he said. “We’re not talking about credit card information; my HIPAA information has 18 identifiers, and it’s unique.”

Even worse, some C-suite members are willfully ignorant about the source of data privacy and security dangers.

[Also: 11 essential quotes from notable HIMSS keynotes]

“There’s a lot of avoidance,” Barney said. “They don’t want to even think about insider threats. But people with privileged use levels, such as managers with access to PHIs, pose the greatest insider threat to an organization. And business associates are a major liability.”

During his session Barney will explore widespread HIPAA and data security assumptions among healthcare industry executives and IT, common barriers preventing organizations from implementing crucial security improvements, and he’ll take a look at how to minimize organizational data breach probability based on vulnerabilities, threats, and risks.

HIPAA Reality Check: The Gap Between Execs and IT” is scheduled to be held on March 1 from 11:30 a.m. to 12:30 p.m. PST in Sands Expo Convention Center Palazzo L.

Twitter: @HealthITNews

This story is part of our ongoing coverage of the HIMSS16 conference. Follow our live blog for real-time updates, and visit Destination HIMSS16 for a full rundown of our reporting from the show. For a selection of some of the best social media posts of the show, visit our Trending at #HIMSS16 hub.