Tips on Audits, Cloud and Social Media
Privacy and Security Insights from the ExpertsWhether you're preparing for the upcoming HIPAA compliance audits, pondering a move to cloud computing or developing a social media policy, it pays to get privacy and security tips from experts in the field.
In recent weeks, HealthcareInfoSecurity has featured insights on each of these topics. Here are a few highlights.
HIPAA Audits
Conducting a thorough self-assessment is the best way to prepare for the upcoming HIPAA compliance audits, many regulatory experts advise (see: HIPAA Audits: A Preparation Checklist)."This is just another opportunity for covered entities to take a moment from their busy, busy days and do a self-assessment," says Susan McAndrew, deputy director for health information privacy at the Department of Health and Human Service's Office for Civil Rights, which oversees the audit program.
Conducting a self-audit on privacy and security issues and creating a plan for remediating risks are essential preparation steps, says Cliff Baker, CEO of Meditology Services. "It puts an organization in a much stronger position for it to be discussing timelines and priorities for remediation versus being surprised by the auditors' findings ... and being in a reactionary mode," Baker stresses.
And the time to conduct that self-audit is now, before the auditors come knocking at the door.
Cloud Computing
When it comes to cloud computing, it pays to do your homework on key privacy and security issues before signing a contract (see: Cloud Computing: Timely Tips)."Transparency into cloud operations is vital," says Gerard Nussbaum, director of technology services at Kurt Salmon. Potential users should ask cloud vendors a series of questions, he says, including: Who is handling administrative rights? Who is managing the virtual machine environment? Who has database and network access?
Cloud computing customers should demand access logs, he adds. "If the hosting provider is not going to provide you with good logs on who is handling your information ... then you have to be circumspect about the overall quality of the vendor."
Organizations also should demand the right to audit "pretty much anything within the cloud environment," adds Feisal Nanji, executive director at Techumen. "If the vendor is doing a good job, then they really have nothing to hide."
And if a vendor resists a request for access logs or offers a song and dance about why they cannot allow an audit, it's time to find a different cloud partner.
Social Media Policy
It may be tempting to ban the use of social media in the workplace to help minimize risk. After all, lots of hospitals are doing just that. But not so fast, advises Jenny Corotis Barnes, assistant general counsel at The Ohio State University Medical Center.Barnes, who participated in developing the medical center's comprehensive social media policies, says restricting access to social media in the workplace is short-sighted and won't help improve patient privacy.
"Think about where the future is going with social media and with being connected electronically," the attorney advises. "Hospitals should realize that shutting down access isn't going to work in the long-run." Barnes points out that even if a hospital prohibits most of its employees from using its computers to access social media, staff members "will use their smart phones and get to social media anyway."
She advises healthcare organizations to carefully consider whether they want "an educated workforce that knows about social media and will know how to use it and the risks that come with it and the value of it. If so, you need to get over the initial fear of somebody saying something bad about the organization on the Internet. That's going to happen no matter what. It's better to have an educated workforce and work through the risks ... and have the policies and the procedures and the environment that embraces all aspects of social media."
Preliminary results of our inaugural Healthcare Information Security Today survey show that only about half of healthcare organizations have a social media policy in place. Whether you're just starting to develop your policy, or you've had one for a while, it's worth carefully considering whether prohibiting staffers from using social media on their lunch breaks accomplishes anything.