Free EMR Newsletter Want to receive the latest news on EMR, Meaningful Use, ARRA and Healthcare IT sent straight to your email? Join thousands of healthcare pros who subscribe to EMR and EHR for FREE!

Health IT Security: What Can the Association for Computing Machinery (ACM) Contribute?

Posted on February 24, 2015 I Written By

Andy Oram is an editor at O'Reilly Media, a highly respected book publisher and technology information provider. An employee of the company since 1992, Andy currently specializes in open source, software engineering, and health IT, but his editorial output has ranged from a legal guide covering intellectual property to a graphic novel about teenage hackers. His articles have appeared often on EMR & EHR and other blogs in the health IT space. Andy also writes often for O'Reilly's Radar site ( and other publications on policy issues related to the Internet and on trends affecting technical innovation and its effects on society. Print publications where his work has appeared include The Economist, Communications of the ACM, Copyright World, the Journal of Information Technology & Politics, Vanguardia Dossier, and Internet Law and Business. Conferences where he has presented talks include O'Reilly's Open Source Convention, FISL (Brazil), FOSDEM, and DebConf.

A dazed awareness of security risks in health IT has bubbled up from the shop floor administrators and conformance directors (who have always worried about them) to C-suite offices and the general public, thanks to a series of oversized data breaches that recentlh peaked in the Anthem Health Insurance break-in. Now the US Senate Health Committee is taking up security, explicitly referring to Anthem. The inquiry is extremely broad, though, promising to address “electronic health records, hospital networks, insurance records, and network-connected medical devices.”
Read more..

Privacy Group Seeks Rules For Healthcare Clouds

Posted on January 4, 2013 I Written By

Anne Zieger is veteran healthcare consultant and analyst with 20 years of industry experience. Zieger formerly served as editor-in-chief of and her commentaries have appeared in dozens of international business publications, including Forbes, Business Week and Information Week. She has also contributed content to hundreds of healthcare and health IT organizations, including several Fortune 500 companies. Contact her at @ziegerhealth on Twitter or visit her site at Zieger Healthcare.

It’s time for HHS’ Office for Civil Rights to release “strong guidance” on cloud computing in healthcare, according to a letter sent by advocacy group Patient Privacy Rights. The letter, sent by PPR president Deborah Peel, argues that the transition to EMRs will be hampered if patients aren’t confident that their medical information is protected wherever it goes, including the cloud.

“More specific guidance in the health care ecosystem would help ensure that cloud providers, health care professionals and patients alike are aware of how the privacy and security rules apply to clouds,” Peel writes.

Peel suggests that HHS rely on lessons learned from the recently-settled Phoenix Cardiac Surgery case, in which a medical group was fined $100,000 for HIPAA violations including exposing clinical and surgical appointments on a publicly-available Internet calendar.

Specifically, Peel recommends the following standards be established:

Security Standards: Security standards must be implemented that are consistent and
compatible with standards required of federal agencies including the HIPAA Security
Rule and the HITECH breach notification requirements.

Privacy of Protected Health Information: Standards must be included that establish the
appropriate use, disclosure, and safeguarding of individually identifiable information,
which take into account stronger state and federal requirements, Constitutional rights to
health information privacy, and the fact that HIPAA is the “floor” for privacy protections
and was never intended to replace stronger ethical, or professional standards or “best

BAA Requirement and Standardization: Consistent with prior OCR guidance, any
software company given access to protected health information by a HIPAA-covered
entity to perform a service for the covered entity is a business associate. Thus, as OCR
representatives have publicly stated on several occasions, a Business Associate
Agreement (BAA) is required between a cloud computing provider and any customer
entity that uses or discloses protected health information or de-identified health
information. It is imperative that these BAA standards promote the protection of privacy
and security of health information to ensure public trust in health IT systems and promote
quality health care, health care innovation and health provider collaboration.

I was particularly interested to note her suggestion that software companies given access to ePHI sign Business Associate Agreements.  My guess is that some cloud providers would fail miserably if asked to uphold HIPAA standards, simply because they aren’t prepared.  If Peel’s recommendations were enacted, in other words, it could shake up the cloud services industry.  Maybe that’s a good thing, but it won’t be a pleasant one for some.