lolloj - Fotolia

Manage Learn to apply best practices and optimize your operations.

Expert says patient privacy practices are not possible without security

Listen to this podcast

In this podcast, a health IT compliance expert discusses how security is essential to achieving true patient privacy practices and offers three security tactics.

BALTIMORE -- Patient privacy practices aren't possible unless a healthcare organization is also ensuring cybersecurity. Unfortunately, that's a tall order in today's healthcare cybersecurity environment, says David Holtzman, vice president of compliance strategies at CynergisTek, a healthcare IT consulting firm based in Austin, Texas.

"I think a lot of what we are seeing in healthcare today is being driven by the spate of malware attacks and cybersecurity incidences which are finding the ability to infiltrate information systems that aren't very well protected," Holtzman said. "And because you can't have [patient privacy practices] without security, we're seeing a lot of the confidentiality and the availability of health information being destroyed."

David HoltzmanDavid Holtzman

Holtzman, who spoke at the 2016 AHIMA Convention, recognizes that some healthcare organizations, particularly the smaller physician practices, often don't have the fiscal resources to invest in the appropriate cybersecurity technologies or the human resources needed to make sure patient data is kept secure and private.

"We're developing an industry of haves and have-nots," Holtzman said. "Because of our interconnected nature of healthcare, if we don't work to secure the links [that are least] able to secure their information systems, that leaves the rest of us all exposed."

Holtzman believes the most effective technologies take preventative measures and are key to cybersecurity and patient privacy practices. Holtzman provides three technology examples:

  1. Next-generation firewalls: Holtzman believes that having next-generation firewalls at the perimeter would help keep malicious content and attachments out of the organization and email and web gateways would be capable of identifying that malicious content.
  2. Make it difficult for hackers to gain access: Holtzman thinks this can be done in several ways, including two-factor authentication for critical applications, databases and administration privileges, and use vaulting to make privileges non-persistent. "In other words, if someone needs enhanced access or advanced administrative privileges to access an information system, when you give them the keys to the kingdom make sure it's a one-time use key so that it expires once the activity is completed," Holtzman said.
  3. Advanced malware detection: "Technologies that read the network or information traffic so it's capable of recognizing anomalous signatures and blocking and reviewing it prior to letting it through or stopping it altogether," Holtzman said.

Next Steps

CIOs offer advice on healthcare cybersecurity vulnerabilities

The area of health IT that needs more cybersecurity? Medical imaging

Balancing the human factor with technology a must for cybersecurity