AHIMA Helps Healthcare Organizations to Develop an Effective IG Program

A guide published by the American Health Management Association (AHIMA) aims to help healthcare organizations create a comprehensive cybersecurity plan. It is necessary for healthcare organizations to develop and maintain an organization-wide framework that manages information – from creation to safe and secure disposal. This plan is termed information governance or IG.

Everyday more than one healthcare data breach occurs according to the Protenus and Databreaches.net monthly healthcare data breach reports. With the real threat of cybersecurity today, healthcare organizations really need to develop an IG program. VP Kathy Downing of Information Governance, Informatics, Privacy and Security at AHIMA confirms that IG is a vital element now in healthcare organizations where cyberattacks are experienced everyday.

The Healthcare Industry Cybersecurity Taskforce (HCIC) June 2017 report stated that “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” The AHIMA IG Adoption Model focuses on people, processes and technology. It touches on ten competency areas: privacy and security, enterprise information management, legal and regulatory requirement, IT and data governance and security awareness and adherence.

To have an effective IG program, AHIMA recommended 17 actions in its guide that healthcare organizations can do to create a cybersecurity plan.

1.       Do an organization-wide risk analysis of all applications and systems

2.       Identify health record retention as a cybersecurity issue

3.       Fix all vulnerable systems and update software and operating systems

4.       Use advanced endpoint detection systems in combination with standard antivirus and anti-malware tools.

5.       Employ data encryption on workstations, tablets, smartphones and portable media

6.       Improve access management and identity controls

7.       Block bad traffic using web filters

8.       Use mobile device management

9.       Have an incident response plan

10.   Keep track of audit logs to detect signs of possible attacks

11.   Employ intrusion detection systems

12.   Assess business associates

13.   Conduct penetration tests using third-party firms

14.   Conduct phishing simulation exercises to improve anti-phishing controls

15.   Make a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity

16.   Adopt a ‘Defense in Depth’ strategy

17.   Detect and stop intrusions or cyberattacks

Having a cybersecurity plan can help organizations be ready for cyberattacks and avoid expensive data breaches. But it is only the start as the threat landscape constantly changes. Healthcare organizations need to adjust and revise cybersecurity plans as needed. 

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at https://twitter.com/ChrisCalHIPAA