ONC's Joy Pritts on Breach Prevention

Two Essential Steps That All Organizations Should Take

By , November 25, 2013.
ONC's Joy Pritts on Breach Prevention

Healthcare organizations should make widespread use of encryption because it's the single most essential technology to use for breach prevention, says Joy Pritts, chief privacy officer at the Office of the National Coordinator for Health IT.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

"We still see the largest impact of breaches has been from lost and stolen technology," Pritts says in an interview with Information Security Media Group (transcript below). "For those items, there's a pretty simple solution: encrypt. Encryption methods are much more advanced than they were five years ago, and there really is not a good reason at this point, if you're purchasing new technology, not to make sure that you can encrypt it."

More than half of major breaches reported to the Department of Health and Human Services since September 2009 have been tied to lost or stolen unencrypted devices, especially laptops (see: Wall of Shame: Four Years Later).

A second important breach mitigation step, Pritts says, is to ensure that healthcare organizations have the policies and procedures in place to prevent insiders from snooping into patients' records. "And if you find out that they're doing that [snooping], take action against them," she urges.

In the interview, Pritts also discusses:

  • The provisions of the HIPAA Omnibus Rule that will likely have the biggest impact on safeguarding patient health information;
  • The privacy and security requirements being hammered out for Stage 3 of the HITECH Act's electronic health record incentive program;
  • Privacy and security issues related to medical devices.

Pritts joined ONC, a unit of the HHS, in 2010 as the office's first chief privacy officer. In that role, Pritts provides advice to the HHS secretary and the National Coordinator for Health IT about developing and implementing ONC's privacy and security programs under HITECH. Pritts also works closely with the Office for Civil Rights and other divisions of HHS, as well as with other government agencies, to help ensure a coordinated approach to key privacy and security issues. Before joining ONC, Pritts held a joint appointment as a senior scholar with the O'Neill Institute for National and Global Health Law and as a research associate professor at the Health Policy Institute at Georgetown University.

Biggest Privacy, Security Challenges

MARIANNE KOLBASUK MCGEE: What do you think are the biggest privacy and security challenges facing the healthcare sector today? Looking ahead, what emerging privacy and security challenges do you see?

JOY PRITTS: Right now, I think we still see the largest challenge in the healthcare sector as being one of culture. There's still a culture that privacy and security are barriers to the provision of health. We see privacy and security actually as being facilitators and that, when the message from the top is that privacy and security are good for the patient and good for business, we will see more of an attitude that these are things that organizations should be doing very willingly and will see the benefit to them and their patients.

Medical Devices

MCGEE: What sorts of privacy and security issues do you worry about when it comes to medical devices?

PRITTS: First, I'd like to make a little distinction here between medical devices and mobile devices. A lot of people are thinking of medical devices as being maybe your little monitor you have on your arm, but there's also this very large category of medical devices that are really associated directly with healthcare that are in not only hospitals and healthcare organizations, but are also remotely based at a patient's house. The adoption of those is also escalating very quickly, and there's a lot of work being done with the FDA and some work with our office on assessing what those security issues are with those devices and how to ensure that they're secure as we move forward.

Stage 2 Privacy, Security Requirements

MCGEE: Please highlight the most significant privacy- and security-related requirements in Stage 2 of the meaningful use electronic health record incentive program funded by the HITECH Act.

Follow Jeffrey Roman on Twitter: @gen_sec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

Latest Tweets and Mentions

ARTICLE Cyber-Attacks Target Energy Firms

The Trojan "Laziok" targets energy firms throughout the Middle East, India, the U.S. and the U.K.,...

The ISMG Network