Friday, January 15, 2010

HIT security panel troubled by risk assessment void

A Health & Human Services Department advisory panel on privacy and security expressed concerns Monday over the inability of many healthcare providers to perform basic risk assessments of their health information assets, a tenet of the proposed “meaningful use” guidelines just released by the Centers for Medicare and Medicaid Services.

Dixie Baker, a member of the privacy and security workgroup of the Health IT Policy Committee, said she was surprised by a 2009 survey discussed at a recent HHS Health IT Standards Committee meeting that showed that 48 percent of the responding providers, mostly hospitals, performed no risk assessment.......

However, panelists said, there is little in the meaningful use policy that defines the scope of the required assessment. Instead, the requirement is based loosely on privacy and security rules contained in the Health Insurance Portability and Accountability Act (HIPAA).

MIAOULIS NOTE:  All healthcare organizations should evaluate or begin their risk assessment program if they intend to meet meaningful use.  1) Identify your data and where it is located (2) review controls, threats, etc. to the data (3) Implement controls to address high risk areas (4) Start over at #1.   If you have questions or need help, please contact me.

No comments: