Healthcare organizations of all sizes are preparing to apply for Medicare and Medicaid incentive payments for making meaningful use of electronic health records. Adequately addressing security issues is more essential as more patient information is digitized.

Rather than taking a piecemeal approach to security, hospitals, clinics and others should create what I call an electronic health record security ecosystem.

The most critical element in building a security ecosystem is the risk assessment. The time to complete one is now.

Key steps in developing a security ecosystem are: understanding the landscape of security and privacy; performing a risk assessment; developing governance and security policies; and developing and implementing procedures.

The ecosystem approach enables organizations to continually assess their security posture against changes in their business and the industry. Properly built ecosystems protect many walled and non-walled environments, including information collection, storage and exchange. Applying a "right-sized" best practices approach to various security borders requires the appropriate blend and focus on people, policies and processes, and the correct portfolio of security technologies.

Here's a guide to the key steps:

Step 1: Understand the Security and Privacy Landscape

Before building a security ecosystem, security professionals must first review the high-level components of their security and privacy landscape. Several regulatory concerns must be addressed. Chief among them are:

• HITECH Act: Included in the federal economic stimulus package, the Health Information Technology for Economic and Clinical Health Act created tougher penalties for failing to comply with the HIPAA privacy and security rules. A recently released proposal to modify HIPAA, as called for under HITECH, made it clear that the rules apply to healthcare organization's business associates and their subcontractors. HITECH also spelled out requirements for notifying regulators, as well as the individuals affected, about breach incidents. And it created the Medicare and Medicaid EHR incentive program.
• Meaningful Use: To meet the final "meaningful use" requirements and qualify for federal EHR incentives, organizations must protect their electronic health information by implementing proper controls, although no specific security technologies are mandated. The meaningful use rule also requires healthcare organizations to conduct and regularly update risk assessments. Electronic health records software that qualifies for the incentives must include a long list of security capabilities, including encryption and authentication.
• State Privacy Laws: These typically require technical controls, a written information security plan and breach notification protocols. As a result, it's important to establish "reasonable" protection of consumer information and create a best practices framework, which normalizes all these requirements and enables an organization to manage, measure and monitor controls.
• The Red Flags Rule: The Federal Trade Commission's regulation requires certain organizations that grant credit to develop and implement written identity theft prevention and detection programs to protect consumers. The FTC, however, is not yet enforcing the rule while it awaits Congressional action exempting smaller healthcare organizations and others.

Step 2: Conduct a Risk Assessment

The risk assessment process includes analyzing best practice frameworks, quantifying risks and identifying gaps to create a program roadmap. Properly followed, the outcome of this process is a comprehensive assessment of an organization's security program, an actionable set of recommendations and a clear roadmap and plan for remediation. Key steps are:

• Gather existing documentations, such as policies, procedures, diagrams and other business infrastructure components. Utilize interviews and workshops with stakeholders to identify existing controls, processes and technologies used.
• Review documentation and interview/workshop notes to identify gaps. Compare your organization's practices to best practices.
• Document findings to make actionable, prioritized recommendations for the organization.
• Review all findings with business and technical leaders to ensure recommendations align with business objectives.

Step 3: Create a Governance and Security Policy These policies are critical to gaining executive buy-in and building a successful security ecosystem. Reviewing resources, strategic alignment and risks enables organizations to understand whether they can meet their goals.

Policy development should address key areas including:

• Protecting sensitive information;
• Addressing regulatory issues;
• Limiting access to confidential information to those with authorized access;
• Safeguarding the integrity of accurate information and processing methods; and
• Making information available to authorized users when required.

Every organization should have clear accountability for the processes, policies and controls to trace actions to their sources and ensure technical and operational security of the intended work.

Step 4: Develop and Implement Procedures

Procedure development identifies standards for what needs to be in place. Procedures create processes for both operations and technology to guide security implementation. They are a critical component for information and enforcement in a security program. The bottom line is this: The most critical element in building a security ecosystem is the risk assessment. The time to complete one is now.

Daniel is the security team leader and principal consultant for Concordant, which provides healthcare IT consulting services, specializing in ambulatory EHR adoption and implementation. He has extensive experience as an information security professional with expertise in regulatory compliance, governance, security engineering and security awareness training. He is a member of the Information Systems Audit and Control Association and the International Information Systems Security Certification Consortium.