Hospitals seek cures for common security breach

April 30, 2001

No decision facing healthcare at the moment causes more apprehension than how best to prepare for HIPAA compliance. Two new resources give hospitals some guidance. One is a paper meant to help hospitals analyze and correct security hazards, the other a

No decision facing healthcare at the moment causes more apprehension than how best to prepare for HIPAA compliance. Two new resources give hospitals some guidance.

One is a paper meant to help hospitals analyze and correct security hazards, the other a new Web quiz/game designed to educate healthcare workers.

The article discusses the types of threats faced by healthcare institutions, from external attacks via the Internet to internal security violations, and what hospitals can do to achieve and maintain data privacy and integrity. "Healthcare information security: The threats and the safeguards - and how to manage them" appeared in the January-February 2001 issue of ECRI's journal Health Devices.

"Many healthcare workers who rely on electronic patient information and must now deal with HIPAA compliance have only limited knowledge of data security," said author Ken Olbrish, a senior project engineer at ECRI, an independent nonprofit health services research agency. "This was written as a primer to help these individuals."

While the paper won't put HIPAA compliance on cruise control, it will head you down the right road, according to Olbrish. A considerable number of facility-specific decisions still must be made on a case-by-case basis, however, he said.

Every healthcare worker needs to understand the requirements for electronic patient information transmission to ensure that the security and privacy of that information is maintained. The Olbrish article, which summarizes this arcane topic in a nontechnical format, can also be used as an educational tool.

The Web quiz is another tool that may help hospitals understand their obligations under the new law.

"Now that sweeping new regulations have taken effect to protect patient records, healthcare organizations are suddenly feeling a bit under the weather themselves," said David Simon, president of WeComply, a developer of online compliance training programs. "Even with two years to achieve full compliance, some hospitals and HMOs have already started scrambling to put their houses in order."

In addition to upgrading their record-keeping infrastructure, these organizations face a huge task in educating their employees on the new policies and procedures required by the rules.

Simon's remedy is a Web site ( http://www.wecomply.com ) offering a library of compliance-training quizzes, including one called "HIPAA Privacy Primer," that consists of a brief text followed by a quiz/game. It costs $15 (or less with volume discounts), takes about 30 minutes to complete, and can be locally customized by the hospital's compliance officer or legal department to suit facility-specific needs.

"Satisfying the training requirement online is almost certainly less expensive than covering the same material in a live session, and it's unquestionably more convenient," Simon said. "It provides a consistent message enterprise-wide, plus usage is easily tracked and reported for risk-management purposes."

The challenging quiz/game is also more fun than sitting through a presentation.