Information Technology Reference
In-Depth Information
this rule earlier. Further research, however, would
be needed to validate these findings.
Sharing ePHI is a necessity to do business
within the healthcare system. HIPAA security
rule required that the healthcare organizations
ensure that healthcare clearinghouse functions
are conducted in compliance with HIAPA secu-
rity rule standards to protect health information
from unauthorized access. Data collected showed
that healthcare institutions strongly reacted to
this requirement especially between April and
December 2005 and 2006; 58.3% reported were
in compliance with this requirement.
Granting access to electronic protected health
information is a basic requirement mandated by
HIPAA security rule. Data indicates that most in-
stitutions (50% before April 2005, 40.6% between
April and December 2005) implemented policies
and procedures for granting access to electronic
protected health information. The response to this
basic security requirement was strong between
April and December 2005. Granting access has to
be controlled, however, a process of determining
users authorization/access level to ePHI was also
required by HIPAA security rule, the data shows
that this requirement was widely adopted around
the HIPAA security rule mandated date (42.7%
before April, 44.8% between April and December
2005). System and application software are not
free from security vulnerabilities, security updates
is a must to patch these flaws. Data collected re-
vealed that security updates were widely adopted;
88.6% met this requirement during 2005. HIPAA
security rule recommended monitoring log-in at-
tempts and reporting discrepancies. Ninety nine
percent of the participants in this study reported
that their healthcare organizations implemented
procedures in order to meet this requirement.
According to the data collected, 93.8% of the
respondents reported that their organizations ad-
opted password management processes. However,
57.3% did meet this requirement before the HIPAA
security rule mandated date. Protecting ePHI is
critical, security violations response and report-
ing is an important process to achieve adequate
ePHI security. The HIPAA security rule required
healthcare organizations to implement procedures
to respond and report security violations. Unfor-
tunately data collected indicated that the response
to this requirement was weak around the HIPAA
security rule mandated date. In 2006, however,
more institutions implemented it. Data backup is
very important in any business that uses digital
information. Data showed that all healthcare in-
stitutions of the sample satisfied the data backup
plan requirement as of 2006. This researcher
believes that awareness about the importance of
data backup as a protective measure against de-
structive attacks, hardware and software failures,
theft, environmental disasters, and other factors is
widespread. Recovering from a failure or a disaster
is critical in any healthcare organization business
operations. Data in this study indicated that 90.6%
of healthcare organizations participated in this
study implemented a disaster recovery plan; 39.6%
did so between April and December 2005, which
clearly show the impact of the HIPAA security
rule on these healthcare organizations' security
behavior. Continuation of critical business pro-
cesses while operating in emergency mode seems
to have been adopted mostly after the mandated
date. As data shows 31.3% of healthcare organiza-
tions participating in this study were compliant
with this requirement first in 2006. Data revealed
that healthcare organizations did not perform well
in implementing procedures for periodic testing
and revision of contingency plans. Most of them
(38.6%) were compliant in 2006 and 2007. They
performed poorly, also in the assessment of the
relative criticality of specific applications and data
in support of other contingency plan components.
Progress has been made, however, in the last
two years (17.7% in 2006 and 14.6% in 2007).
Periodic evaluation in response to environmental
or operational changes affecting the security of
ePHI seems to receive less attention also as the
data shows. However, most of the healthcare
organizations in this sample (47.9%) put in place
Search WWH ::
Custom Search