Security and Compliance: What are Providers Missing?

16 March 2012 | Dr. Dennis Schmuland, Chief health strategy officer, U.S. Health and Life Sciences, Microsoft

​Recently, I wrote on the topic of security and compliance among health plans, to accompany the first webcast in a two part series titled, “What's Missing from Your Security and Compliance Efforts?”

However, health plans aren't alone in navigating this increasingly demanding landscape, as many of the same requirements and regulations are placing a burden on healthcare provider organizations.
HITECH, ICD-10, and Meaningful Use, for example, are changing the way healthcare providers use protected health information (PHI). Expectations around how we protect this data are becoming more and more stringent, with enforcement, auditing and fining entities significantly more active.
The second webcast in the series, hosted by Microsoft and WPC, will focus on how providers can meet these new expectations while maintaining an equal focus on health outcomes, efficiency, innovation, and overall market strength. I've asked security and compliance expert, Eric Mueller, Services President of WPC, to share his thoughts on the shifting sands of security for providers.
Can you explain how security and compliance requirements for healthcare providers are changing? What’s different from years past?
Mueller: Prior to health reform most organizations were primarily focused on security within their “four walls,” but that approach is no longer sufficient. The goal of health reform is to digitize health data for the purpose of using it to improve care and to collaborate with other entities that interact with the patient. This level of collaboration and coordination holds a lot of promise but it also creates new security and compliance scenarios that most providers don’t fully understand. Another new and overlooked difference is that security and compliance also extends to business associates of covered entities. Very few providers understand how business associates secure and protect their data but they do so at their own peril.
What steps should providers take now to prepare for the future?
Mueller: Securing sensitive data can seem like an overwhelming task, but it doesn’t have to be. The first and most important step is an assessment of your current security and compliance posture. The results of the assessment will help you create and prioritize a security and compliance roadmap. Security is a journey, not a destination, so it’s important to have a continuous cycle of assessment and remediation. Taking this approach will create a framework that addresses today’s challenges and prepares you for tomorrow’s.
What are the most common challenges providers are encountering with security and compliance?
Mueller: There are several, but three specific challenges come to mind: competing priorities, lack of security and compliance expertise, and lack of resources. Unfortunately, most organizations think of security and compliance as an afterthought. As a result it’s not an integral part of their operations and ultimately ends up being neglected.
What about a focus on outcomes and innovation? How can these areas be addressed concurrently with compliance/security?
Mueller: Security and innovation are not mutually exclusive. If done properly, security is a business and innovation enabler. A mature security posture enables organizations to be more creative, collaborative, and innovative. A great example is enabling caregivers to access clinical data from tablets and mobile phones at the point of care without putting patient data at risk. Other examples include the enablement of Accountable Care Organization (ACO) and health information exchange (HIE) participation, and embracing certain aspects of social media to engage with patients.
We’re beginning to see a handful of forward thinking providers recognize that security and compliance can be a strategic advantage for their organization. That is encouraging to see and we’re thrilled to work with customers to capitalize on that advantage.
Don’t forget to join the webcast on March 22 at 11:00 a.m. PT to learn more. Please click here for more information on the webcast and to register.
Dr. Dennis Schmuland
Chief health strategy officer, U.S. Health and Life Sciences, Microsoft