After surviving the worst of a global recession, already lean health care IT security teams face numerous challenges as hospital automation continues to expand and data-hungry cyberthreats continue their assault. The cyberthreats are driven by the big money behind organized cybercrime, but the increased automation is being driven by the American Recovery and Reinvestment Act of 2009 (ARRA). Title XIII of ARRA, also known as the Health Information Technology for Economic and Clinical Health Act (HITECH Act), reserves $22 billion to accelerate electronic health IT and complete a U.S. shift to e-health records by 2014. This is good for health care, but certainly disruptive and challenging for health care companies.
The same is true for the aspects of the HITECH Act that expand the reach of the existing Health Insurance Portability and Accountability Act (HIPAA). One HITECH requirement calls for a robust ePHI (electronic patient health information) auditing capability by the end of the year. Starting on Jan. 1, 2014, any person may walk into a hospital and request a report detailing all access to their ePHI in the preceding three-year period. This means that all hospitals and other entities covered by HIPAA and the HITECH Act must start logging and storing all ePHI access events starting Jan. 1, 2011.
But, as with other compliance-driven security investments, such as PCI, the best practice will be to leverage these investments to actually improve security. The same event-data-logging and audit/investigation technology deployed to comply with patient privacy requirements of HIPAA/HITECH can be used to monitor insider and outsider threats that are more generic in nature, including sabotage of IT systems, theft of customer identity information and industrial espionage, such as tampering with or stealing lab results.