09-24-13 | Blog Post
Here at the Privacy & Security Forum in Boston Mike Miliard, the managing editor of Healthcare IT News, interviewed Joy Pritts, the Chief Privacy Officer from the Office of the National Coordinator for Health Information Technology. Here are some highlights from that discussion:
Joy Pritts: We want to make sure that healthcare systems have the technologies and resources they need to comply with HIPAA. One of the programs of the ONC is the REC. They are our feet on the ground, helping providers set up EHRs. They are also required to provide assistance on security and privacy. Within that, communities of practice is sharing lessons learned about implementing security and privacy in the provider practices.
We learned that our first approach was too technical, and that we needed to develop plain language materials to help the non-technical provider audience. We’ve been trying to focus on some common sense baseline privacy and security materials to raise awareness and set the foundation for more technical levels of conversation.
MM: What does your typical day look like?
JP: My typical day involves strapping on a rocket pack to deal with the unexpecteds that pop up during about 80% of my day. We spend a lot of time coordinating with the other ONC programs, for example the Blue Button project to facilitate patients accessing their own health records. We engage in a lot of review of regulatory and policy matters across both HHS and other federal agencies. Any time an official policy goes out, those materials often get clearance before becoming public. Between January and June of this year, we reviewed over 200 policies before they were published publically. We’re trying to coordinate these very different models across Health Information Exchanges and other places where patient information is exchanged.
MM: What’s your advice for people trying to get their arms around the basics of privacy and security?
JP: Use common sense and take an approach of protecting the information as opposed to trying to complete a checklist. We get a lot of requests for a checklist, because people think that will make their lives easier, but that doesn’t protect the patient very much. Regulations and rules are not advice. It needs to be considered from a business perspective. Become aware first to gain perspective, then start drilling down into the specifics. Also bear in mind that technology that is built for consumer use is not necessarily the best thing in a healthcare setting. It may be convenient, but it can come back and cause a lot of problems.
MM: Do you tailor your advice to different providers with different resources?
JP: When we offer advice, we focus on who the marketplace is not serving adequately. We focus on the smaller providers, but recognize that larger providers are using our materials as well. The privacy and security concerns of a larger healthcare institution can be much more complex than a very small provider office.
MM: #MU2 puts a huge focus on patient engagement. What do people need to think about?
We still see startled surprise that the patients have a right to access their patient information. The Stage 2 focus on patient access was inspired by the HITECH modifications, and what we see there is a lot of concerns from providers on where their liability ends. The responsibility ends when the patient records gets to the patient’s hands.
MM: We often hear that healthcare is far behind other industries like banking with things like encryption – what has to happen?
JP: That’s a good question and I’m still looking for a good answer to that. My conclusion is that we still have a lot of legacy systems, and will for a number of years. As they are replaced, new encryption techniques will likely Investing in those legacy systems is very expensive, and so they tend to stay around a long time.
MM: 6 or 7 years ago, smart phone didn’t exist, and are now ubiquitous. Does ONC plan for these shifts?
JP: One of our office initiatives is to keep an eye on the future so we’re not caught blindsided. When we saw mobile devices taking off and that security wasn’t taking off at the same pace, we worked to produce comprehensive documentation in 9 months to provide some guidance.
Cloud computing hasn’t really taken off yet in the healthcare sector, and there are questions about cloud computing across all sectors, so we watch other sectors for what’s trending and catch the trends as they happen.
MM: One of the panels I heard last week was talking about DropBox – loved by researchers, but giving privacy officers fits.
JP: We see a lot of apps, but they are behind the times in terms of privacy information they present. It’s hard to see what’s going on with information behind the scenes. Websites do a better job of exposing privacy policies.
MM: We’ve heard people say if you’re going to prohibit them, there need to be secure alternatives.
JP: There is a lot of movement with mobile technologies to recognize that using these devices in a commercial environment requires more security. This year we saw many more devices offering more secure ways of doing things. I believe demand can drive the market for more secure devices and apps.
MM: Do you think the shift in liability from providers to Business Associates will facilitate cloud adoption?
JP: That was one of the purposes of the rule was to shift the responsibility to where the data is being kept. That’s not to absolve the providers from responsibility – you still need to have adequate agreements in place.
MM: How do you change the culture in your organization? How do you get people to think about privacy the way we need to.
JP: Everyone is responsible for privacy and security, including from the top – meaning the federal government. Whatever you are doing – if you are talking about health information – you need to think about how you’re going to keep it private and secure and build it into every aspect of what you do so it’s not just something tacked on at the end. Privacy and Security, if you think about it up front, can provide a good return on investment to avoid data breaches. Some large organizations can pay for things like remediation, but you can’t repair your reputation with a check. In our consumer research (to be released before end of the year), it shows that when they don’t trust that an organization protects their information, it really does reduce the information that patients are willing to share with their providers. That’s not where you want to be with healthcare.
MM: What about cybersecurity and other threats – does that keep you up at night?
JP: Cybersecurity and hacking has not had a huge impact on the healthcare sector – yet – compared to hacking attacks in the financial sector. It’s entertaining to me in a perverse way that people don’t understand how valuable healthcare data can be. Why would anyone want health information? What are you going to do with that? Health information is a key asset of a business, but people who aren’t thinking from the business perspective may not understand how this information can be used for malicious purposes. It’s clear we’ll have to pay close attention going forward.
MM: What risks keep you up at night the most?
JP: Mobile technology right now is something people have not paid enough attention to. The other aspect is the human factor. When you look at the notifications of breaches reported on OCR’s website, unauthorized snooping is still one of the largest causes of breaches. You’ll always have some bad actors, but you’ll have fewer of those if there’s an atmosphere where that is not acceptable. When President Clinton went into the hospital, they immediately caught 12 people snooping in the patient record. But was more disturbing was the employees comments from the hospital like “I’m hardly surprised – it happens all the time”.
MM: Technology helps catch these actions more than with a manilla folder.
JP: Hopefully people are using the correct audit technologies.
MM: What can you do to help us get there?
JP: One thing is to get more vendors to build security in the products themselves, and we see this as a big thing we can help with. Communicating with them to get privacy and security as a consideration from the very beginning.
MM: Any tips of tricks for thinking about #MU3?
JP: Pay attention.
MM: What tops your to-do list for 2014?
JP: Difficult to say right now because we’re in flux. Time will tell what we can accomplish. One of the areas we are looking to assist is making sure patients can get their health information. Blue BUtton initiative sets standards for how to do this. We’ve also been working very hard on patient-centered outcomes research. Those are 2 items that are clearly on the drawing boards coming up.
Here at the Privacy & Security Forum in Boston Mike Miliard, the managing editor of Healthcare IT News, interviewed Joy Pritts, the Chief Privacy Officer from the Office of the National Coordinator for Health Information Technology. Here are some highlights from that discussion:
Joy Pritts: We want to make sure that healthcare systems have the technologies and resources they need to comply with HIPAA. One of the programs of the ONC is the REC. They are our feet on the ground, helping providers set up EHRs. They are also required to provide assistance on security and privacy. Within that, communities of practice is sharing lessons learned about implementing security and privacy in the provider practices.
We learned that our first approach was too technical, and that we needed to develop plain language materials to help the non-technical provider audience. We’ve been trying to focus on some common sense baseline privacy and security materials to raise awareness and set the foundation for more technical levels of conversation.
MM: What does your typical day look like?
JP: My typical day involves strapping on a rocket pack to deal with the unexpecteds that pop up during about 80% of my day. We spend a lot of time coordinating with the other ONC programs, for example the Blue Button project to facilitate patients accessing their own health records. We engage in a lot of review of regulatory and policy matters across both HHS and other federal agencies. Any time an official policy goes out, those materials often get clearance before becoming public. Between January and June of this year, we reviewed over 200 policies before they were published publically. We’re trying to coordinate these very different models across Health Information Exchanges and other places where patient information is exchanged.
MM: What’s your advice for people trying to get their arms around the basics of privacy and security?
JP: Use common sense and take an approach of protecting the information as opposed to trying to complete a checklist. We get a lot of requests for a checklist, because people think that will make their lives easier, but that doesn’t protect the patient very much. Regulations and rules are not advice. It needs to be considered from a business perspective. Become aware first to gain perspective, then start drilling down into the specifics. Also bear in mind that technology that is built for consumer use is not necessarily the best thing in a healthcare setting. It may be convenient, but it can come back and cause a lot of problems.
MM: Do you tailor your advice to different providers with different resources?
JP: When we offer advice, we focus on who the marketplace is not serving adequately. We focus on the smaller providers, but recognize that larger providers are using our materials as well. The privacy and security concerns of a larger healthcare institution can be much more complex than a very small provider office.
MM: #MU2 puts a huge focus on patient engagement. What do people need to think about?
We still see startled surprise that the patients have a right to access their patient information. The Stage 2 focus on patient access was inspired by the HITECH modifications, and what we see there is a lot of concerns from providers on where their liability ends. The responsibility ends when the patient records gets to the patient’s hands.
MM: We often hear that healthcare is far behind other industries like banking with things like encryption – what has to happen?
JP: That’s a good question and I’m still looking for a good answer to that. My conclusion is that we still have a lot of legacy systems, and will for a number of years. As they are replaced, new encryption techniques will likely Investing in those legacy systems is very expensive, and so they tend to stay around a long time.
MM: 6 or 7 years ago, smart phone didn’t exist, and are now ubiquitous. Does ONC plan for these shifts?
JP: One of our office initiatives is to keep an eye on the future so we’re not caught blindsided. When we saw mobile devices taking off and that security wasn’t taking off at the same pace, we worked to produce comprehensive documentation in 9 months to provide some guidance.
Cloud computing hasn’t really taken off yet in the healthcare sector, and there are questions about cloud computing across all sectors, so we watch other sectors for what’s trending and catch the trends as they happen.
MM: One of the panels I heard last week was talking about DropBox – loved by researchers, but giving privacy officers fits.
JP: We see a lot of apps, but they are behind the times in terms of privacy information they present. It’s hard to see what’s going on with information behind the scenes. Websites do a better job of exposing privacy policies.
MM: We’ve heard people say if you’re going to prohibit them, there need to be secure alternatives.
JP: There is a lot of movement with mobile technologies to recognize that using these devices in a commercial environment requires more security. This year we saw many more devices offering more secure ways of doing things. I believe demand can drive the market for more secure devices and apps.
MM: Do you think the shift in liability from providers to Business Associates will facilitate cloud adoption?
JP: That was one of the purposes of the rule was to shift the responsibility to where the data is being kept. That’s not to absolve the providers from responsibility – you still need to have adequate agreements in place.
MM: How do you change the culture in your organization? How do you get people to think about privacy the way we need to.
JP: Everyone is responsible for privacy and security, including from the top – meaning the federal government. Whatever you are doing – if you are talking about health information – you need to think about how you’re going to keep it private and secure and build it into every aspect of what you do so it’s not just something tacked on at the end. Privacy and Security, if you think about it up front, can provide a good return on investment to avoid data breaches. Some large organizations can pay for things like remediation, but you can’t repair your reputation with a check. In our consumer research (to be released before end of the year), it shows that when they don’t trust that an organization protects their information, it really does reduce the information that patients are willing to share with their providers. That’s not where you want to be with healthcare.
MM: What about cybersecurity and other threats – does that keep you up at night?
JP: Cybersecurity and hacking has not had a huge impact on the healthcare sector – yet – compared to hacking attacks in the financial sector. It’s entertaining to me in a perverse way that people don’t understand how valuable healthcare data can be. Why would anyone want health information? What are you going to do with that? Health information is a key asset of a business, but people who aren’t thinking from the business perspective may not understand how this information can be used for malicious purposes. It’s clear we’ll have to pay close attention going forward.
MM: What risks keep you up at night the most?
JP: Mobile technology right now is something people have not paid enough attention to. The other aspect is the human factor. When you look at the notifications of breaches reported on OCR’s website, unauthorized snooping is still one of the largest causes of breaches. You’ll always have some bad actors, but you’ll have fewer of those if there’s an atmosphere where that is not acceptable. When President Clinton went into the hospital, they immediately caught 12 people snooping in the patient record. But was more disturbing was the employees comments from the hospital like “I’m hardly surprised – it happens all the time”.
MM: Technology helps catch these actions more than with a manilla folder.
JP: Hopefully people are using the correct audit technologies.
MM: What can you do to help us get there?
JP: One thing is to get more vendors to build security in the products themselves, and we see this as a big thing we can help with. Communicating with them to get privacy and security as a consideration from the very beginning.
MM: Any tips of tricks for thinking about #MU3?
JP: Pay attention.
MM: What tops your to-do list for 2014?
JP: Difficult to say right now because we’re in flux. Time will tell what we can accomplish. One of the areas we are looking to assist is making sure patients can get their health information. Blue BUtton initiative sets standards for how to do this. We’ve also been working very hard on patient-centered outcomes research. Those are 2 items that are clearly on the drawing boards coming up.