The new AHIMA Privacy, Cybersecurity, and Information Governance Institute kicked off convention this year on Saturday and Sunday, an expanded and updated version of the AHIMA Privacy and Security Institute that had been a part of convention since 2006. The addition of information governance to the institute this year was very timely due to the growing industry need for an organization-wide framework for managing information throughout its lifecycle. Featuring a packed agenda, the institute included incredible speakers, valuable information, opportunities to network, and even a hacking demo.
Institute Covered Hot HIM Topics
Opening the institute was Mark Segal, principal at Digital Health Policy Advisors, LLC and chair of the HL7 Policy Advisory Committee, who delivered a punch with information regarding the 21st Century Cures Act, interoperability, information blocking, and TEFCA. His message was clear, “privacy and security, combined with APIs, information blocking, and patient right of access will create new privacy and security opportunities and challenges.” Segal also spoke on the long-standing topic of a national patient identifier. “Although patient matching is very high on the [Trump] Administration’s priority list, a national patient identifier is very low on their priority list,” he said.
Iliana Peters, JD, LLM, CISSP, former deputy director for health information privacy at the Department of Health and Human Services’ Office for Civil Rights, and current shareholder, health care services, at Polsinelli, further expanded on the need for secure data to combat cyber threats. She level-set her session by saying that “good data privacy and security is fundamental to ensuring patients’ trust in the healthcare system and to helping healthcare clients succeed in an ever-changing landscape of threats to data security.” Enforcement cases were highlighted, detailing the incident that caused the breach, how the organization handled the risk assessment, and the outcomes of such cases, including associated penalties. Other cybersecurity and cyber threat breakout sessions highlighted processes to avoid attacks, what current threats exist today, and what is anticipated in the future.
Information Governance and Cybersecurity Align
Additional sessions focused on information governance (IG) and how it aligned with cybersecurity, best practices, and information sharing with a business associate. Multiple panels allowed panelists to share experiences about their IG programs and recommendations/lessons learned in order to help attendees advance their organizations’ IG initiatives. A detailed overview of the protections in place for substance use disorder records under 42 CFR Part 2 were discussed, those required of the “lawful holder” for Part 2 information as well as new additions and changes in definitions within the rule. Disaster preparedness and business continuity is a topic of interest due to cybercrimes, but is also a particularly timely topic due to the many recent natural, weather, and fire occurrences. The General Data Protection Regulation (GDPR), the European Union privacy and security law, is a fairly new topic and one many in the United States have questions on. While this is a regulation of the EU, it does have an impact on organizations outside of the EU that exchange data with organizations within the EU.
The Sunday portion of the institute kicked off with a speaker from the United States Security Service Miami Electronic Crimes Task Force, who provided a national perspective of multiple current cyber crimes including spear phishing attacks, delivery of malware via distribution lists, and the importance of maintaining different passwords for both personal and work-related accounts to avoid “credential stuffing” and “password cracking.” The Miami Electronic Crimes Task Force work is focused on not just healthcare efforts but also electronic crimes associated with all regulated businesses. The speaker detailed threat factors to businesses and individuals in the US, such as point of sale breaches, which can impact a majority of Americans since the breaches are conducted through online sales and/or any credit card purchase.
Cyberattack Victims Share Their Stories
Each day of the institute closed with presentations by two different organizations who have experienced a cyberattack. Michael Clark and Joe Petro from Nuance Healthcare discussed their lives one year after the huge NotPetya cyberattack that impacted their company, stating this was a multi-nation attack with malicious intent. The speed in which the data corruption occurred happened in a matter of minutes and continued to spread at a fast pace, Clark and Petro said. “The only thing that saved us was that we were able to recover the PHI,” Clark said. “We were the only organization worldwide that was able to do that.” Finally Steve Giles, CIO of CHA Hollywood Presbyterian Medical Center, closed the institute with his story of a “man-made” cyberattack, a ransomware attack that paralyzed the hospital’s network and led to a $17,000 ransom payment to free their data. Giles explained why “you don’t have to be paranoid to know people are out to get you” while reiterating the same thing Clark and Petro mentioned the previous day—these attacks are malicious in intent and healthcare organizations cannot be too cautious in securing their systems and protecting their data.