Compliance & Legal

Jeff Coughlin, senior director of Federal and State Affairs at HIMSS, discusses information-blocking, interoperability, social determinants and recently proposed rules from CMS and ONC.

Will Smart, CIO for Health and Social Care in England, says measuring digital maturity using tools such as EMRAM helps the NHS track progress of the global digital exemplars against international standards.

Diagnosis and treatment of disease and antibiotic-resistant bacteria is complex and challenging for small hospitals, who could care for patients with remote help from top-tier infectious disease experts.

Healthcare systems need to collaborate on defense and rely on AI and machine learning to respond to new threats, study finds.

Erika Cheung recently launched the Ethics in Entrepreneurship venture in Hong Kong and the US to help startups navigate ethics in innovation.

A new security report finds the average institution leaves terabytes of sensitive information exposed to unauthorized parties.

Printers present a unique cybersecurity threat, and the provider organization was serious about protecting them and staying in compliance with HIPAA. It also was serious about ROI.

Providers there also don't have to wait 28 days for access to Epic and other systems, and now receive full rights within two days.

Despite some halting progress with cybersecurity readiness, healthcare is still lacking in many key areas, according to a new progress report from the consultancy CynergisTek. In particular, the study took a look at how healthcare organizations are stacking up with the advice and best practices of the NIST Cybersecurity Framework, as well as the HIPAA privacy and security rules. The findings, say CynergisTek researchers, are "sobering." WHY IT MATTERS To start with, the report – based on the results of assessments, audits and reviews performed by CynergisTek at some 600 healthcare organizations and business associates – found that, from the perspective of NIST CSF most of those orgs surveyed were still performing "well below where we would like to see them," said CynergisTek CEO Mac McMillan in the report. It found an average 47 percent conformance with NIST CSF controls and an average 72 percent compliance with the HIPAA Security Rule. While the HIPAA adherence was slightly better and "within normal range," several specific findings underscored a key point that's become a mantra: "compliance does not equate to security," he said. For example, while hospitals and health systems may be meeting the letter of the law when it comes to HIPAA rules, CynergisTek researchers found that one of the key planks of conformance with NIST CSF – breach detection – was not where it should be for many of those organizations it assessed. "Given the threat environment we operate in today where literally some percentage of almost everything computerized is a threat, the inability to effectively discover and respond to events is a real issue," said McMillan. Worse than the numbers themselves is the fact that they represent only a minimal improvement in NIST CST conformance since a similar progress report was done this past year – just a 2 percent increase – and CynergisTek actually saw a 2 percent decrease compliance with the HIPAA Security Rule. Researchers also found that of the five "core functions" of the NIST CSF – identify, detect, protect, respond and recover – there was relative stability, year-to-year, even as "detect" component lagged the other four. But when it came to awareness and training, a key driver of the "protect" plank, there was a slight downtick in conformance, the report shows. That's "likely not significant," researchers conceded, but "it does beg the bigger question around security: If you are not improving, are you actually slipping back?" Among some other notable findings from the study: More than 60 percent of CynergisTek's assessments discovered noticeable gaps in the maintenance of written policies and procedures to guide healthcare workforce around the use and release of PHI. As for third-party vendors, "the most common gaps among included risk assessment, access management, and governance," researchers found. And at healthcare organizations, nearly 75 percent of unauthorized insider access came from employees' household members. THE LARGER TREND Interestingly, at least on the subject of breach detection, the findings of the Cynergistek report diverge somewhat with those of another study this week, from BakerHostetler, which found that while phishing scam artists are still doing their darndest to take advantage of employee error, one of the bright spots had to do with substantial improvements in in-house detection among the organizations it surveyed. Whichever of those stats is more indicative of the true larger picture, however, its inarguable that healthcare still has major work to do when it comes to cybersecurity preparedness – and that goes for all employees across the enterprise, from low-level back office staff to the CEO. Indeed, as we showed this week, too many CEOs – amazingly – still aren't giving infosec the high-level attention and on-the-ground resources it deserves and demands. ON THE RECORD David Finn, executive vice president of strategic innovation at CynergisTek, said the decline in the awareness and training category under the NIST CSF "protect" capability "is very alarming considering how much more sophisticated attackers were with targeted phishing attempts and new attack vectors, such as medical devices." In addition, "the fact that we did not see any improvement in either the respond or recover functions means we may be losing even more ground with the increased number of attacks last year," he noted. "Organizations need to take into account whether their individual security needs are actually being met in order to be truly secure, and not only compliant." Twitter: @MikeMiliardHITN Email the writer: mike.miliard@himssmedia.com Healthcare IT News is a HIMSS Media publication.

Three experts on health IT consulting offer healthcare CIOs and other leaders key advice on how best to start a relationship with an outside consultant – and keep it going.