What I’m Looking Forward to at #HIMSS16: Privacy and Security

MattFisher-whiteBy Matt Fisher, Esq
Twitter: @matt_r_fisher
Event Hashtag: #HIMSS16

The 2016 HIMSS Annual Conference promises to showcase many new developments in the health IT field and highlight key areas of focus. In what will not likely be a surprise based on the focus of my blogging, I anticipate that privacy and security will be a primary focus. The genesis for that prediction is the ever increasing number of security breaches and concerns about maintaining the privacy of sensitive medical information.

There are a number of sessions at the conference that will consider privacy and security issues. The sessions on my list include:

  • Cybersecurity Symposium (Monday, February 29) – In advance of the full conference, there is a day-long symposium focusing on cybersecurity. The symposium will discuss issues including concerns of privacy officers, biomedical device deficiencies, evolving liability issues relating to cyber insurance, and general legal issues. A wide array of top people in the field will present on the issues.For example, knowing what privacy officers are concerned about may help identify solutions to vet or issues to put on the radar. Laying the groundwork of current issues will help set the stage for the rest of the conference.
  • Limiting Impact in the Era of the Inevitable Breach (Tuesday, March 1) – It is often stated and very much true, every healthcare organization will experience a data breach. It is a matter of when not if. Given that certain knowledge, organizations must be prepared to limit the harm resulting from a breach. Mitigation and risk reduction can be accomplished by learning from previous breaches, constantly performing risk assessments, and having a response plan in place and ready to go.
  • Privacy & Security in an App Enabled World (Tuesday, March 1) – Lucia Savage, Esq. from the Office for the National Coordinator of HealthIT will lead a discussion on HIPAA, privacy, security and mHealth apps. Organizations and individuals are increasingly using such mHealth solutions, which makes it important to understand how regulations impact use and what concerns to keep foremost in mind. The discussion is bound to be informative, especially in light of recent mobile app guidance issued by the government.
  • Compliance Does Not Equal Security (Tuesday, March 1) – The name of this session says it all. Compliance with HIPAA and other regulations does not mean that an organization is secure. It is important to keep in mind that HIPAA really only establishes the floor level of security. True security requires going well above and beyond the requirements of HIPAA and its implementing regulations. From this perspective, is it important to understand why compliance does not, in fact, equal security and then identify what actions or activities can increase an organization’s security comfort. Included in the learning objectives is a statement that people are the key to successful security. This observation is very astute because a security program will only be as effective as the people implementing and following it.
  • Trends in Consumer Access and Use of Electronic Health Information (Wednesday, March 2) – Individuals are creating more personal data, including health data, and expect that this information will be used by healthcare providers. Such engagement requires providers to be aware of privacy and security risks around data generation and integration. While healthcare organizations cannot control what an individual does on their own, the story will change if the healthcare organization provides a device or otherwise plays a role in how data is created or used. Many personal devices have raised concerns about security and where data are sent. If personal devices will be involved in healthcare going forward, all must understand the associated risks.
  • Hacking Healthcare (Wednesday, March 2) – Hacking of healthcare organizations has been a hot topic over the past year. A number of organizations have been victimized, resulting in an enormous number of individuals being impacted. Security may be enhanced by getting into the mindset of a hacker as well as understanding restraints in security. It is likely impossible to prevent all attacks, but to the extent any can be avoided that should be sought.

The above list only contains some of the sessions that have drawn my attention. I will try to attend as many as I can in order to get a sense of where the industry as a whole is on privacy and security issues. Privacy and security are both topics that can generate a lot of discussion. Please find me at HIMSS, on Twitter, LinkedIn, email or elsewhere to have that discussion.

About the author: Matthew Fisher is the chair of the Health Law Group at Mirick, O’Connell, DeMallie & Lougee, LLP, in Worcester, MA. Matt advises his clients in all aspects of healthcare regulatory compliance, including HIPAA, the Stark Law and the Anti-Kickback Statute. This article was originally published on Mirick O’Connell’s Health Law Blog and is republished here with permission.