There is Still So Much to Learn: Privacy & Security Forum 2015 Recap

Posted: March 9, 2015

Last week’s Privacy & Security Forum presented by HIMSS Media and Healthcare IT News provided

attendees with many important insights and practical tips for protecting the privacy and security of digital health information.

In case you missed it, here are some of the highlights:

  1. A hospital’s privacy and security teams should round to check on their programs just like a physician rounds on his patients: Physicians round on their inpatients every day to check and see how they are doing and adjust the course of treatment as needed. Privacy and security teams should conduct “rounds” as well, visiting all areas of the hospital to check on the health and wellbeing of their privacy and security programs. To the extent that any infirmity is identified, an exam should be conducted, the problem diagnosed, and appropriate treatments implemented.
  2. “It is not your mother’s internet anymore” (Kevin McDonald, Director of Clinical Information Security Mayo Clinic): When asked what their biggest risk factor is, the vast majority of speakers agreed that it is people. Among the many security topics to address through education is the fact that it is not their mother’s internet anymore. There are bad actors out there with nefarious purposes and employees must approach every email and Internet activity cautiously and with a degree of healthy skepticism.
  3. People shouldn’t create a response to a breach, they should respond according to a plan (Karl West, CISO Intermountain Healthcare): Advanced planning for breach response is critical. Relationships with go-to third parties like forensic analysts, lawyers, crisis communications experts, and notification companies should be forged well in advance of any event. Plans for responding to different types of events should be developed, drilled, evaluated and refined on a regular basis to help ensure an effective response in the event of an incident.
  4. Cyber insurance is more complicated than you think (Erin Whaley, Partner Troutman Sanders): There is no one-size-fits-all cyber insurance policy nor are policies uniform across the industry. As a result, when shopping for cyber insurance, it is important to identify the risks that you are trying to address so that you can evaluate potential policies and determine whether they really address those risks.
  5. When setting up a conference bridge to discuss a potential hacking incident, don’t put the passcode in the calendar invite (Daniel Nigrin, CIO Boston Children’s Hospital): When you hear it and think about it, it makes perfect sense. If you are concerned that someone has breached your system and may be able to access email, don’t put the passcode together with the dial-in number in an email or calendar invite. Doing so is essentially inviting the enemy to listen to your defense strategy sessions. Send the passcode for the conference bridge separately through secure text or other means.
  6. “You can’t encrypt today and assume it will work twenty years, or even six months, from now” (Kevin Johnson, CEO Secure Ideas): Encryption is great and should certainly be part of your security program. Encryption is not, however, a static control that you can put in place and forget about. As soon as something is encrypted, there is someone out there trying to break that encryption. As a result, you should assume that your encryption will be broken at some point and build with that idea in mind.
  7. “De-identification is a quaint notion of the past” (John Mattison, CMIO Kaiser Permanente): A recent study showed that an individual can be identified through as little as four unidentified credit card transactions. If it is that easy to identify someone through their purchases, imagine how easy it could be with their health data.
  8. Privacy and security officials are embracing innovation: Having been given a bad rap as the folks who always say “no,” privacy and security officials are trying to change their image and become the “yes but” folks. Recognizing that innovation is the way of the future, privacy and security officials are encouraging their organizations to bring them in on the front end of innovation projects to ensure that privacy and security are embedded in these projects from the ground floor so that they can be successfully deployed when ready.

If you have any questions about this article, please contact Erin Whaley at or @mhealthlawyer.