Security Top Concern as Health Care Regs Loom

[InfoSec News <isn () C4I ORG>]

http://www.computerworld.com/cwi/stories/0,1199,NAV47-68-84-88_STO57610,00.html

By JULEKHA DASH
February 12, 2001

Health care organizations scrambling to comply with pending HIPAA
rules.

With new government regulations looming, upgrading security has become
the top priority this year for health care IT departments.

The 20,000 attendees at the Healthcare Information and Management
Systems Society's (HIMSS) annual conference here last week debated
everything from reducing medical errors to deploying Internet
technologies. But sessions on the Health Insurance Portability and
Accountability Act (HIPAA) drew the largest crowds. At one session,
guests spilled out into the hallway.

"HIPAA is much bigger in magnitude than Y2k and is larger in scope
because it's not a one-time thing," said Soloman Appavu, director of
systems planning at Cook County Hospital and Cook County Bureau of
Health Services in Chicago.

Lawmakers released the HIPAA regulations, which Congress passed in
1996, in several stages last year. In essence, the regulations require
health care organizations to protect the privacy and security of
confidential health information and call for standard formats for
electronic transactions.

Since the HIPAA regulations require heightened security measures,
Bryan Bayley, program manager at Carl T. Haydon VA Medical Center in
Phoenix, said he's looking for an alternative to password protection,
such as biometric authentication, which involves scanning a person's
eye or finger before before granting access to protected information.

Many health care companies are preparing for the regulations by
changing their existing policies and procedures. Sparks Health System
in Fort Smith, Ark., for example, has created a policy education
committee to assess its readiness for HIPAA, said Karen McPherson,
director of information systems. To start, the committee has asked an
attorney to draft a letter for vendors to sign to show that they are
HIPAA-compliant.

As health care organizations pour their resources into HIPAA, other
projects, such as Internet initiatives, will likely take a back seat
this year. Almost two-thirds of respondents to this year's HIMSS
leadership survey said their top priority is upgrading security on IT
systems to meet HIPAA requirements.

"HIPAA will have a continuing dampening effect on health care IT
innovations," said Simmi Singh, a vice president in the health care
group at Internet services firm SeraNova Inc. in Edison, N.J.

But Walter Menning, HIMSS board chairman and vice chairman of
information systems at the Mayo Clinic in Rochester, Minn., said the
survey results revealed not so much a declining interest in Internet
initiatives as a shift in priorities caused by looming deadlines for
HIPAA compliance.

Late last year, former President Bill Clinton announced the final
HIPAA privacy rules [News, Jan. 1]. Most organizations will have two
years to comply. Failure to do so could result in civil and/or
criminal fines, as well as jail time. The final security rules are due
the middle of this year.

However, Bill Braithwaite, senior adviser on health information policy
at the U.S. Department of Health and Human Services, said health care
organizations will be asked for ongoing feedback.

"It's not a one-time deal. We will be revising these standards, and
you will be affecting those standards on an annual basis," Braithwaite
said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".