InfoEdge Logo
Offering Select IT And Business Management Research
research@infoedge.com
800.544.7337 | 617.969.9080
Home Page About Us Contact | Questions Shopping Cart
Recent Reports Information Centers Free Research IT Business News and Articles CIO Strategy Center Browse Categories
Related Reports
Security Audit Program
The audit program is one that either an external auditor or an internal auditor can use to validate the compliance of the Information Technology organization and the enterprise to ISO 17799, Sarbanes-Oxley, HIPAA, and PCI-DSS.
IT Spending, Staffing and Technology Trends
The study tracks spending in ten industry and government sectors and provides objective and comprehensive data designed to assist IT and business executives in the financial and strategic management of information technology.
Options in Enterprise Backup
This report reviews the intricacies of backup practices and procedures, including security, business continuity, archiving and compliance.
The State of the Mainframe
Mainframe MIPS growth is averaging around 20% per year. This new report looks at the current state of this "legacy" system.
IP Telephony Solutions: Product Comparison Report
This report includes an overview of the enterprise IPT market, a comparison of nine leading IPT solutions, and a summary of the relative strengths and weaknesses of each product.
Regulatory Resource   Threat Intelligence      Resilient IT      Boardroom Strategies      
Regulatory Resource / Sectors

Opportunity Knocks: Healthcare and Regulations

From the Editors of CIOSC

Regulatory compliance is a hot-button issue in many industries, not the least of which is healthcare. With the final HIPAA compliance deadline set for spring 2005, organizations in the healthcare industry have been working to come up with solutions to secure their electronic data. On top of that, many healthcare organizations have also been grappling with the accountability requirements of the Sarbanes-Oxley Act (SOX). In many cases, even those who are not formally subject to the requirements of SOX are using it as a framework for better overall governance. Following is a look at what lies ahead for the healthcare industry this year, and at some important security strategies and technologies that are being adopted.

The Security Rule

As of April 21, 2005, all healthcare organizations (with the exception of small health plans that have until April 2006 to comply) must be in compliance with HIPAA's Security Rule. The Security Rule is intended to ensure the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI). The Security Rule is concerned with the technical aspects of protecting ePHI, as opposed to the Privacy Rule of April 2003, which broadly covered all forms of health information: written, oral, and electronic.

  • Specifically, the Security Rule requires that healthcare entities maintaining or transmitting ePHI adopt reasonable and appropriate administrative, technical, and physical safeguards:

  • To ensure the integrity and confidentiality of patient information.

  • To protect against any reasonably anticipated threats or hazards to the security or integrity of the information.

  • To protect against unauthorized use or disclosure of the information.

  • To otherwise ensure compliance among employees or officers.

More collaboration needed

There is no doubt that regulations like HIPAA, SOX, and Gramm-Leach-Bliley have brought attention to the way electronic data is managed. Regulatory concerns have made overall network security management a priority, rather than focusing efforts on fighting off threats. URAC, a Washington D.C.-based non-profit, found that many healthcare organizations are having trouble meeting the security demands of HIPAA in part because too much of the responsibility is placed on IT departments when it should be treated primarily as a business function. URAC said information security is not solely a technology problem -- rather, it is a business problem that relies on technology-savvy decision-makers and technology investment.

Even though SOX applies only to publicly traded companies, many healthcare organizations are finding that its mandate for sound financial statements -- and fraud-resistant data and procedures to compile those financial statements -- is similar in nature to the accountability and integrity of ePHI that is required by HIPAA. Records must be kept in a logical, thorough, and secure way so that nothing is at risk of being corrupted, lost, or stolen. In anticipation of potential future regulations, and in an effort to build a sound information security program from the ground up, many healthcare organizations are finding that a good strategy will take into account not only HIPAA, but also SOX standards. Those organizations believe that, in the long term, the technologies and methods they're implementing now, whether a result of regulation or not, will be good for business.

Important technologies

In order to provide better accountability and integrity of electronic data, here are some technologies that are being used increasingly in healthcare:

  • Network Storage Solutions  The need to maintain access to patient records in a timely, secure, and organized manner is the reason why data storage management solutions are being considered by many healthcare organizations. According to industry analyst Frost & Sullivan's recent "Data Storage Management Markets for U.S. Healthcare Settings" report, storage hardware revenue in healthcare totaled $845.2 million in 2004, and is expected to exceed $1.3 billion in 2008. Frost & Sullivan attributes the high demand for storage requirements to the plethora of medical images, patient records, and hospital administration-related data. In fact, the volume of healthcare data is increasing by more than four times every two years.

  • Disaster Recovery and Backup  The critical nature of healthcare data becomes an issue if something goes wrong, or if a system fails. If the health of a patient is at stake, closing off or shutting down the system until a problem is isolated and removed is not an option. That is why healthcare organizations are developing disaster recovery plans and implementing backup and recovery systems.

  • Policy Management  Keeping servers, databases, applications, networks, and security controls in compliance with in-house security policies and regulations like HIPAA can seem like an arduous task -- but it doesn't have to be. Policy management solutions measure compliance and interact with the actual computer environment to make any necessary changes, automatically keeping systems in line with policies and regulations.

  • Clientless VPN  The number of remote connections being made directly into a typical healthcare organization's network is increasing. For example, healthcare providers routinely access Web portals to update records, check on a patient status, or view schedules from a remote location. Clientless VPN is the key to making easy and safe remote connections in these situations because it leverages existing browser software on the client (or remote user) end.

  • Identity management and encryption  Identity management is all about creating and managing user identities and access privileges in accordance with a security policy. This is not just good practice from a security management perspective -- the access control and audit requirements of HIPAA and SOX require it. HIPAA does not expressly mandate encryption, but healthcare organizations are increasingly using it to help ensure data confidentiality. Wireless use is growing in healthcare for data capture and access, and as data is sent over the airwaves, it is potentially vulnerable to interception or other unauthorized access. Strong encryption is important with wireless transmissions, because it will protect data confidentiality and integrity.

Conclusion

Healthcare is one of the most -- if not the most -- data-intensive industries. This is why so many forward-thinking organizations are taking data management and security beyond HIPAA and using SOX guidelines as a framework for security. Once an organization is able to get its IT and business groups to begin collaborating on security issues, the door is open to building a more secure infrastructure. As the regulatory climate becomes more stringent, and organizations are called on to be more accountable for their practices and information management, those who are diligent about security management can expect it to pay off in the long run.

CIO Strategy Center is a daily editorial resource offering innovative insights and strategies for building an integrated, secure and resilient IT infrastructure.

Articles by Topic
Sectors
Law
Tactics
Related Content

Features

View More


Metrics

View More

Fast Fact

"The volume of healthcare data is increasing by more than four times every two years."
Sponsor Tools

Resources

White Papers

View More


Podcast Audio Content

CIO Strategy Center is now available in audio format.

This week's feature topic is:


Preparing for a Disaster
Playtime: 8 min 07 sec



Download | Subscribe

Copyright © 2009 Studio One Networks. All rights reserved.
Geography Specific | Advanced Technologies | Industry Verticals | Executive Management | Information Technology | Human Resources | Telecommunications | Sales And Marketing | Finance | Hardware | Software | Web | Outsourcing | Top IT Priorities
home   |     site map   |     about us   |     privacy statement   |     research providers   |     contact us   |     categories

Entire contents ©2008 InfoEdge. All Rights Reserved.
Email: research@infoedge.com