Action Resources:
Security

The Final Security Rule was published in the Federal Register on February 20, 2003, with an effective date of April 21, 2003. Compliance is required by April 20, 2005 for most covered entities (April 20, 2006 for small health plans).

• General
  • CMS' HIPAA Security Educational Papers Series
  • Computerworld Knowledge Center Special Report on Proactive Security
  • HIPAA Security Crosswalk from HIMSS/NIST/URAC/WEDI
  • SearchSecurity.com MARCH TO HIPAA Nine-Part Series
  • WEDI SNIP Compliance White Papers & Presentations
  • Related Articles
    
• Security Officer
  
• Information Security
• NIST publications related to HIPAA Security
• Electronic Communications
• Policy
• Access Control
• InfoSec Management & Incident Response
• Related Articles
• Models, Samples & Templates
  
• Disaster Readiness & Recovery

HIPAA/SECURE: Security Q/A monthly column

General:

HIPAA Privacy Rule and Security Standards - friends or foes? by Cheryl S. Camin, Esq., ABA Health eSource, August 2006
This article is intended to be a brief analysis of how the differences between the Privacy Rule and the Security Standards may result in problems with compliance with both of these requirements.

The HIPAA Security and Privacy Rules – Intersections and Dependencies by Steve Weil, CISSP, CISA, Seitel Leeds & Associates

Key Security Questions For Healthcare Execs: What to Ask & Answer Before Implementing HIPAA Security by Clyde Hewitt & Bill Miaoulis, CISA, Principals, Phoenix Health Systems

SANS' HIPAA Security Policy Development: A Collaborative Approach
outlining the methodology of the State of Hawaii's policy development effort.

SearchSecurity.com's HIPAA Learning Guide, May 2005
HIPAA deadlines come and go, but compliance is forever. Whether you've met all the deadlines or you've fallen severely behind, this HIPAA Learning Guide from SearchSecurity.com is full of news articles, analysis reports, expert advice, white papers and case studies that will help keep you on track.

The Final HIPAA Security Rule – Conducting Effective Risk Analysis by Steve Weil, CISSP, CISA, Seitel Leeds & Associates

"A Guide to Security Readiness" (PDF) from the Maryland Health Care Commission provides an overview of the HIPAA Security Regulation, definitions of terms used in the regulation, plus:

• Small Provider Implementation Example
• Assessment Guide and Work Plan
• Development of a Chain of Trust Partner Agreement
• HIPAA Security/Implementation Checklist

Centers for Medicare & Medicaid Services' (CMS) Information Security homepage has links to documents and tools related to Medicare Business Partner Security requirements, including security policies, the Contractor Assessment Security Tool (CAST), and more.

Federal Regulatory Compliance Guide and Matrix (PDF), from the American Council for Technology/Industry Advisory Council's (ACT/IAC) Information Security and Privacy Shared Interest Group, provides a consolidated reference to various federal regulations (including HIPAA) pertaining to information security correlated on a functional basis.

HIPAA Security Educational Papers Series provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the HIPAA Security Rule. The papers are designed to give HIPAA covered entities insight into the Security Rule, and assistance with implementation of the security standards. This series explains specific requirements, the thought process behind those requirements, and possible ways to address the provisions. CMS recommends that covered entities read the first paper in this series, “Security 101 for Covered Entities” before reading the other papers, which assume the reader has a basic understanding of the Security Rule.

1. Security 101 for Covered Entities (PDF)
2. Security Standards - Administrative Safeguards (PDF)
3. Security Standards - Physical Safeguards (PDF)
4. Security Standards - Technical Safeguards (PDF)
5. Security Standards - Organizational, Policies and Procedures, and Documentation Requirements (PDF)
6. Basics of Risk Analysis and Risk Management (PDF)

Computerworld Knowledge Center Special Report on Proactive Security:

• Security on the Offensive
  • Early Notice of Threats
  • Security Preparation Tools
• Baked-In Security
  • Test It or Toss It
• Intrusion-Prevention Systems: Erecting Barriers
  • State of the Market
  • Five Tips for Selecting an IPS
• Supersmart Security
• Secure the People
• ...with online exclusives, including a security quiz, data points, tips for making security everyone's business, tips for responsible computing, how to plan for a possible network attack, and freebie security scanners.

HIMSS/NIST/URAC/WEDI HIPAA Security Crosswalk of matrix documents developed to help healthcare organizations map existing policies and technologies to requirements of the HIPAA Security Rule. The Healthcare Information and Management Systems Society (HIMSS), in conjunction with the NIST/URAC/WEDI Security Health Care Certification and Accreditation Workgroup, created the crosswalk focused on mapping to the HIPAA security rule the best practices or requirements of:

• International Organization for Standardization (ISO) 17799
• Centers for Medicare and Medicaid Services (CMS) Core Security Requirements (CSR)
• Federal Information Security Management Act of 2002 (FISMA)
• Operationally Critical Threat, Asset, and Vulnerability Evaluation (OCTAVE) HIPAA

MARCH TO HIPAA: Bitter pill or best prescription? SearchSecurity.com's nine-part series on meeting the HIPAA security rule examines three distinct healthcare groups impacted by HIPAA:

MARCH TO HIPAA: The Best Insurance Policy
Health insurance companies say HIPAA simply reflects rules they’ve had to live by all along. That doesn’t mean every operation is ironclad.

• HIPAA Security Rules Broken Down
  Here's what you need to know at a glance.
  
• Got a Health Plan? Then Your Company Comes Under HIPAA
  Enterprises don't have to work directly with patients to be affected by HIPAA’s security rules.

MARCH TO HIPAA: A Mixed Diagnosis for Hospitals
If upper management is supportive and the right people oversee security, hospitals are doing right by HIPAA. But those ingredients aren't always there.

• Tale of Two Compliance Officers
  One's walking on air; the other walked out the door. The experiences of two IT professionals show what's critical to the success of any HIPAA security plan.
  
• A View From the Trenches
  Consultants spend their days trying to help healthcare organizations understand security. Here's one view from the trenches.

MARCH TO HIPAA: Small Practices Can't Seem to 'Follow the Law'
If your local dentist isn't complying with HIPAA's security rules, he's not alone. Experts say most doctors' offices aren't getting it.

• Tools You Can Use
  The security market is bulging with products IT administrators can use to manage HIPAA security compliance. Here's what some professionals are using.
  
• In the End, Is It Worth It?
  From the tech guy to the compliance consultant, everyone seems to agree HIPAA’s security rule is necessary -- pain and all.

WEDI SNIP Compliance White Papers & Presentations:

• Audit Trail Clarification
• Business Associate Example: Medical Transcription
• Email and Encryption
• Employer Issues
• Enforcement
• Evaluation
• Introduction to Security
• Introduction to Security Final Rule
• NIST SP 800 Series
• NIST/URAC/WEDI Healthcare Security Work Group
• Organizational Change Management
• Risk Analysis
• Security Policies and Procedures (P&P)
• Small Practice Implementation

Go to TOP

Related Articles:

Expert: Good Security is Good Business, Health Data Management, December 4, 2006
For many healthcare organizations, maintaining a strong focus on data security isn’t just good HIPAA compliance. It’s also being done to protect business continuity.

HIPAA Security Rules Frequently Overlooked by Frank Palmieri, ABA Health eSource, August 2006
Although most covered entities conscientiously complied with the Privacy Rules and have continued to monitor their HIPAA compliance, many healthcare providers and employers sponsoring health plans have not yet fully evaluated the implications of the new Security Rules.

Security Policies: Don't Be an Army of One by Harris Weisman, June 27, 2006
With the change in the legislative climate (the passing of SOX, GLBA and HIPAA), organizations can no longer afford to relegate information security policies to the back burner. Let's look at several ways you can enlist help from inside and outside your organization.

When You Take Work Home, Make Sure Security Goes With It by William Jackson, Government Computer News, May 22, 2006
No security is perfect, but the more attention you pay to the data you're carrying around with you, the less likely it is that you will be the subject of a news conference explaining how the personal data on millions of persons' names has been exposed.

Lost a BlackBerry? Data Could Open A Security Breach by Yuki Noguchi, Washington Post, July 25, 2005
The ability to carry vast amounts of data in small but easily misplaced items such as computer memory sticks and mobile e-mail devices has transformed the way Americans work, but it has also increased the risk that a forgotten BlackBerry or lost cell phone could amount to a major security breach. For doctors and healthcare companies, the loss of customer data compromises patient confidentiality, protected by HIPAA.

Don't Gamble with HIPAA Security Compliance
by Ramon Padilla, Tech Republic, June 27, 2005
The HIPAA security compliance guidelines left too many loopholes for foot-dragging IT departments. Read these recommendations for becoming compliant and documenting your efforts.

Compliance Shouldn't Be a Primary Security Driver
by Shawna McAlearney, SearchSecurity.com, June 8, 2005
Trying to be compliant or pass an audit doesn't make you more secure and doesn't protect you from attacks; conversely though, a common sense approach in security may equal regulatory compliance.

HIPAA Security: Don't Disband the Committee Just Yet by Stephen C. Brown, Journal of AHIMA, May 2005
In order to maintain compliance with the HIPAA security rule, information security diligence needs to evolve from a project to an everyday operation. Data security is a moving target and so is HIPAA compliance.

Security Rule Blues by Barry Herrin, JD, and Trish Markus, JD, May 2005, Physicians Practice
More than a month beyond the date when physicians were supposed to have met new requirements for security of health information, compliance appears to be lagging. If you are among those dragging your feet, are you aware of the risks you are taking by delaying compliance?

April 20 is Coming: A 16-Point Checklist for HIPAA Security by Michael Doscher and Chris Davenport, HealthLeaders News, April 7, 2005
The last round of HIPAA regulations comes to a close on April 20, 2005 with the implementation of the security rule. Although most covered entities probably view the regulations as just another governmental mandate, the security rule embodies a consensus of best business practices.

Security Manager's Journal: HIPAA Compliance In 30 Days or Less by CJ Kelly, Computerworld, April 11, 2005
With the deadline looming, our security manager gives an assist to the fellow in charge of meeting the mandates of the security rule.

How to (Really) Address HIPAA by Kevin Beaver, SearchExchange.com, March 10, 2005
Many organizations treat HIPAA security rule standards and implementation specifications as "high-level" and only necessary for operating systems and general business processes. Big mistake.

User Name and Passwords Still Reign in Healthcare , ID Newswire, January 28, 2005
At the same time as hospital IT administrators consider how to build a national health information network, they know they are also required to ensure the security and integrity of electronic health data under HIPAA. These twin goals of accessibility and privacy are on a collision course.

The Keys to Identity by Phil Reynolds, Health Management Technology, December 2004
As healthcare organizations strive for greater security, some are using a very personal approach in the form of biometrics.

HIPAA Risk Assessment Without Going Crazy by Rick Ensenbach, Health-IT World News, November 2, 2004
There is a way to make sense of the security rule requirement of risk management, and effectively apply it, by breaking down the task.

SmallBizIT Survival Guide: Security for Small & Medium Businesses by SmallBizIT.com, September 28, 2004
Mid-sized companies face the same challenges as larger companies, but with smaller budgets, less staff and fewer resources. Yet they must protect their networks, prevent viruses and screen out all malware just the same. This Security Survival Guide offers articles, tips and resources on security strategies and management, trends, backup and recovery, and more.

Ten Steps to Email Security by Greg Desmarais, TechNewsWorld, October 1, 2004
Organizations would be wise to establish clearly defined security and email policies.

HIPAA Security Compliance Not Just an IT Problem by Bill Brenner, SearchSecurity.com, September 30, 2004
Health organizations aren't meeting the security demands of HIPAA, partly because they push too much of the responsibility on their IT departments, experts on the law said during this week's HealthSec conference in Boston.

Healthcare CIO Gets Tough on Net Policy Violators by Bob Brown, Network World, September 29, 2004
CareGroup Healthcare System is serious about its security and privacy policies, and those employees and business partners not adhering to them pay a huge price, according to the Boston healthcare organization's CIO.

Health Care Goes High-Tech by Michael Fenner, Card Technology Magazine, July 2004
With the compliance deadline for HIPAA’s security rule a scant nine months away, health care providers must come to grips with how to meet it. Now it’s up to hospitals to decide whether a user name and password approach is sufficient or if a stronger authentication technology, such as smart cards, is warranted.

Pillars of Your Community by Meg Mitchell Moore, CSO Magazine, January 2003
The biggest challenge facing the security industry is knowing how to transform an organization's users from its biggest vulnerability into the first line of defense. The bad news is that it's not going to be easy. The good news is that it's not going to be impossible. Here are three steps to get started.

Draft HIPAA Security Summit Guidelines – the HIPAA Security Summit was a working forum held in October 1999. This document is intended to be used only as a guideline for each organization's development of security policies and procedures.

A Problem-Oriented Approach to the HIPAA Security Standards (PDF) by David C. Kibbe, MD, MBA, Family Practice Management, July/August 2001
This article shows medical practices that the best way to approach HIPAA's many security mandates is to break them down into manageable categories and tasks.

Designing Hospital Security by Stephanie Slahor, February 1, 2001

Go to TOP

Security Officer

Rise of the Chief Security Officer

Sample Security Manager Position Description

Related Articles:

Defining the Roles of HIPAA Officers
by Greg Gillespie, Health Data Management
CIOs must decide how to satisfy HIPAA’s requirement that two new positions be responsible for privacy and data security.

Go to TOP

Information Security:

Possibilities and Pitfalls of Outsourcing, Newsfactor Magazine, November 23, 2005
Many healthcare organizations are finding that diverse functions can be outsourced without affecting the core competency of health care. Confidentiality and security of the information being transferred to the outsourcing firm is of great significance.

Leveraging ISO 17799 to Achieve Security Management Best Practices
by Evan Tegethoff, CIO Magazine, June 8, 2005
It is very difficult to determine what really needs to be done from reading a regulation such as GLBA, HIPAA, Sarbanes-Oxley, Visa CISP, or MasterCard SDP. ISO 17799 can help to provide some meat.

HIPAA and SOX: What You Need To Know by Henry Newman, Enterprise Storage Forum, May 20, 2005
The new HIPAA regulations have changed healthcare documentation and storage requirements, and more importantly, requirements for data security.

Backups Tapes a Backdoor For Identity Thieves by Robert Lemos, SecurityFocus, April 28, 2005
In many cases, low-paid workers are handling sensitive tapes, but only a small fraction of companies are securing the data with encryption.

Find the Top 20 Vulnerabilities on Your Systems & Networks (PDF)
Tools and services you can use to scan your systems without installing new software (v6, updated November 22, 2005).

Information Activity Forensics: Protecting Data at the Core by Prat Moghe, Computerworld, January 21, 2005
As companies face the growing challenge of monitoring, complying with regulations such as HIPAA, and protecting data, a new approach to data security has emerged. It's called information activity protection, and it focuses on monitoring, auditing, and protecting information assets at the network core.

Safeguard Records to Comply with HIPAA Security Rule by Steven M. Harris, American Medical News, January 3/10, 2005
You should consider taking these steps to ensure protection of health information and electronic medical records in compliance with the HIPAA regulations and the new security rule.

Keeping the bad guys out – Threat management: Organizing defense-in-depth strategies by Brian Robinson, Federal Computer Week, October 11, 2004
Threat management is one approach that's catching the interest of many in the security field. Instead of meeting threats as they arise, threat management organizes defenses through an ongoing process.

When Outsourcing, Don't Forget Security, Experts Say by Scarlet Pruitt, Computerworld, September 21, 2004
When it comes to outsourcing IT operations to countries such as India and China, companies often focus on slashing costs and gaining productivity but fail to take into account cultural differences that may affect their security, according to experts attending the Gartner IT Security Summit in London today.

Finding the Right HIPAA Mix by Joseph Goedert, Health Data Management, July 2004
Providers studying how their work processes mesh with the HIPAA data security rule often find it's a balancing act.

Users, Vendors Treating Healthcare Patching Ills by Ellen Messmer, Network World, July 19, 2004
There continues to be plenty of finger-pointing over who should fix the broken process for patching Windows-based patient-care systems, but some users and vendors are at least trying to deal with the problem directly.

Case Study: Hospital Makes Moves toward HIPAA with Secure Messaging by Caroline Broder, iHealthBeat, June 18, 2004
It's no secret that healthcare is behind when it comes to meeting an upcoming HIPAA deadline to secure patient data. But one hospital decided to get ahead of the game last year when it went live with a secure messaging system.

Information Security Governance: A Call to Action (PDF)
This report from the National Cyber Security Partnership (NCSP) provides a framework and guidelines to help organizations make information security an integral part of core business operations.

The Key to a HIPAA-Safe Computer System: These commonsense precautions will help safeguard patient data, and keep you out of HIPAA trouble by Robert Lowes, Medical Economics, April 11, 2003
Computer security can be as simple as installing a lock on the door to the room where your server sits. If you've taken that step, you've taken the first step in complying with the HIPAA security standard.

Related NIST publications:

• SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems, September 1996 (PDF)
• SP 800-16 Information Technology Security Training Requirements: A Role- and Performance-Based Model (supersedes NIST Spec. Pub. 500-172), April 1998, broken down into 3 parts:
  • Part 1 - document (PDF)
  • Part 2 - Appendix A-D (PDF)
  • Part 3 - Appendix E (PDF)
• SP 800-26 Security Self Assessment Guide for IT Systems (PDF)
• SP 800-30 Risk Management Guide for Information Systems (PDF)
• SP 800-33 Underlying Technical Models for Information Technology Security, December 2001 (PDF)
• SP 800-50 Building an IT Security Awareness and Training Program (PDF)
• SP 800-55 Security Metrics Guide for IT Systems(PDF)
• SP 800-66 Introductory Resource Guide for Implementing the HIPAA Security Rule (PDF)

Understanding HIPAA: A Security Perspective
View this webcast to learn how to use Symantec's Policy Compliance solutions to pro-actively secure your environment, and help you comply with pending HIPAA regulations. Symantec Security Experts will discuss how to use Symantec Enterprise Security Manager and the new preconfigured HIPAA Application Security Module to build, manage and deploy a HIPAA security policy across your organization.

HIPAA Challenges for Information Security: Are You Prepared?
HealthCIO.com White Paper by Jonathan Bogen, 2001 (best viewed in IE)

Electronic Communications:
With advances in technology, email and voice mail have become important means of communications among physicians and between provider and patient.

• Fax Facts on sending and receiving faxes that contain PHI.

Policy:

Keeping IT Healthy with Information Security Policies by Mark Ungerman, Advance for Health Information Professionals, June 2004
An information security policy can help address the administrative, physical and technical security issues set forth by HIPAA by identifying the security controls required to secure patient data.

Sample PDA IT support policy from Tech Republic
This sample policy clearly states the type of support an IT department will provide for PDAs and explains basic security procedures to employees.

Security Policy: What it is and Why – The Basics by Joel S. Bowden
August 14, 2001, SANS Institute
A security policy is nothing more than a well-written strategy on protecting and maintaining availability to your network and it’s resources. By having a well-written policy that covers areas listed below, you should be able to react and recover from most situations in minimal time.

• Risk Assessments
• Password Policies
• Administrative Responsibilities
• User Responsibilities
• Email Policies
• Internet Policies
• Disaster Recovery (Backup and Restore)
• Intrusion Detection

Site Security Policy Development
A Site Computer Security Policy gives computer system operators, owners, and users a clear understanding of acceptable standards of use. This paper outlines some issues that the writer may need to consider when developing such a document.

Information Systems Security Policy Manual from the Department of the Navy Bureau of Medicine and Surgery.

"Sanitization of Information Technology Equipment and Electronic Media" Policy from the KY Governor’s Office of Technology

Access control:

Role-Based Access Control (RBAC)

Implementing Context-based Access Control for HIPAA

Information Security Management & Incident Response:

Hospital Emergency Incident Command System (HEICS) security incident response plan originally funded by the California Emergency Medical Services Authority and sponsored by AMMI Inc.

Incident Response Plans Avert Disaster and Make Breaches 'Temporary Inconvenience' by John Kavanagh, ComputerWeekly, September 14, 2004
IT security breaches are inevitable but proper incident response can restrict a potential disaster to little more than a temporary inconvenience, according to security specialist Ross Patel.

A Bag of Tricks Approach to Proactive Security, SANS Institute, April 30, 2004
Security does not begin with the detection of a compromised server or other form of detected intrusion.

Corporate Incident Handling Guidelines by David Theunissen, SANS Institute, November 14, 2001
The purpose of having incident handling procedures is to know what to do when an incident occurs. This means anticipating scenarios before they happen, and making many decisions about them in advance.

Free InfoSec Training, Compliments of History by Chris Bachmann, SANS Institute, September 21, 2001
We are all soldiers in a war to guard assets against attack and as any good military leader knows, those that are unaware of history are doomed to repeat it.

CPRI Toolkit: Managing Information Security

Guidelines for Managing Information Security Programs at Organizations Using Computer-based Patient Record Systems

Establishing the Information Security Manager's Job Description by Harry Rhodes of AHIMA

Job description recommendations for Information Security Manager - AHIMA

Related Articles:

Disposing of Idle Technology by James F. Regan, Healthcare Informatics, February 2005
All healthcare organizations face the challenge of what to do with end-of-life technology. HIPAA requires erasure of all confidential information from computer hard drives, and accounting and environmental challenges must be met to avoid potential lawsuits and negative publicity.

Companies Turn to Secure IM to Meet Privacy Concerns by Todd R. Weiss, Computerworld, March 10, 2005
With the use of instant messaging on an upswing, companies concerned about security, regulatory and privacy issues are sometimes turning to secure IM solutions that allow only authorized users access to IM -- while stopping others from sending instant messages.

Maximizing Security Standards by Nigel Stokes, Healthcare Informatics, February 2005
Complying with HIPAA's security standards provides a unique opportunity to establish a live, secure enterprise in which corporate and customer data is auditable and protected.

Is Your Storage Management Process HIPAA Compliant?
by Jeff Davis, Tech Republic, February 9, 2005
Beginning in April 2005, being compliant with the HIPAA security regulations turns into serious business. The question for CIOs, IT directors, and everyone charged with securing the company's network is: When the auditors come looking at your operation, will you be HIPAA compliant?

Bridging the Divide: Information security meets physical security by Mark Willoughby, Computerworld, May 28, 2003
Combining the two into "holistic" security results in stronger security and economies of scale. Stronger security and privacy is precisely the tack taken by HIPAA, the Gramm-Leach-Bliley Act and the Sarbanes-Oxley Act, all of which treat unauthorized privacy disclosures and security breaches equally, whether paper, voice or electronic.

Security certs may be mandatory for IT pros in financial and healthcare fields by Allen Keele, TechRepublic, May 2, 2003
You might need to hold special information security certifications just to meet your industry's regulatory or compliance guidelines. HIPAA and the Gramm-Leach-Bliley Act of 1999 (GLBA) may require some IT pros, along with others in the organization, to have certain information security (infosec) certifications.

2 New Threats to HIPAA Compliance by Gil Weber, Ophthalmology Management, January 2003
Wireless technology and Microsoft are creating serious new computer security risks.

Opening Records to Patients by Brad Cain, HealthLeaders, April 2002
As many organizations move to develop electronic medical record systems to improve their operations and to enhance patient care, a few are taking the process a step further: giving patients online access to their own records. This decision may ultimately become a differentiator among healthcare institutions in patients' eyes.

Go to TOP

Disaster Readiness & Recovery

Redefining Disaster by Mary K. Pratt, Computerworld, June 20, 2005
Some CIOs are imagining potential disasters that go well beyond the everyday hiccups that can disrupt applications and networks. Others, recognizing how integral IT is to business today, are focusing on the need to recover instantaneously from any unforeseen event. Many are trying to do both. But CIOs agree that disaster recovery planning has taken on an immediacy that didn't exist in the '90s.

Disaster Recovery: What it Means to Be Prepared by Al Decker, DM Review Magazine, January 2005
Business continuity management ensures the survival of a company, not just during or after a disaster, but during daily operations.

Do-It-Yourself Disaster Recovery by Charlie Jolie, Health-IT World News, August 3, 2004
The entire tech sector is talking about and fretting over disaster recovery. Seasoned healthcare IT pros, more concerned with HIPAA than hype, have actually been implementing disaster recovery plans for years. But are they paying too much? Understanding recovery objectives for each application and establishing recovery tiers going in will mean tremendously reduced costs at project's end.

Hospital Readiness, Response, and Recovery Resources from the American Hospital Association

American Society of Directors of Volunteer Services (ASDVS) Disaster Preparedness Guidelines for Healthcare Facilities (document file)
These standards and guidelines will help Directors of Volunteers anticipate and respond to unexpected challenges that arise from future disasters and emergencies.

Disaster Avoidance and Planning by Normand Martel, Healthcare Informatics, June 2003
Last fall, a computer network meltdown at 532-bed Beth Israel Deaconess Medical Center in Boston left the entire hospital without a network for days, forcing a temporary return to paper and pens. The episode continues to send shudders throughout the medical industry. It seems that the organization's best efforts failed to prevent the disastrous effects of a network crash. Many in the healthcare industry, feeling uncertain and vulnerable, are now asking, How do we protect ourselves from technological disaster?

Principles Of Hospital Disaster Planning. The Internet Journal of Disaster Medicine. 2000. Volume 1 Number 2.

Assessments and Disaster Recovery Plans - Where to Begin? - Notwithstanding HIPAA regulations, every hospital should have a definitive enterprise security posture. To facilitate a strong security position and be ready for a potential disaster, hospitals need to take the same steps that the financial community has embraced for years: constant, vigilant enterprise security review along with a solid disaster recovery plan (DRP).

Related Articles:

Katrina, One Year Later: IT Managers Fight Fatigue, Labor Shortages and Other Problems by Patrick Thibodeau, Computerworld, August 29, 2006
Since Hurricane Katrina struck one year ago today, there is much that IT managers interviewed in New Orleans last week, including Phoenix Health Systems' outsourced CIO Don Chenoweth at East Jefferson General Hospital, have done to shore up their technology infrastructures and try to ensure that their organizations can continue to operate no matter what.

Katrina's Wake by Mike Hrickiewicz and Bob Kehoe, Health Facilities Management, October 2005
Long before hurricanes Katrina and Rita had even formed--years before in some cases--emergency management teams along the Gulf Coast were bracing for what a hurricane could do to their hospitals. On Monday, Aug. 29, however, even some of the best-laid plans were no match for what turned out to be one of America's greatest natural disasters.

Hospitals Cope with Power Outage During a power outage in the northeastern US and Canada, hospitals turned on back-up power generators, canceled elective surgeries, and put emergency procedures in place to meet the challenge.

Disaster Planning Goes Beyond IT Any good disaster plan must go well beyond bulletproofing IT and consider a variety of human factors, reports ZDNet, according to a panel of research analysts speaking Monday at the Gartner Symposium/ITxpo 2001 in Lake Buena Vista, Florida. Specifically, Gartner analyst Roberta Witty emphasized that disaster planning requires such preparations as geographic dispersal of key executives, virtual work environments, and grief counseling programs. In light of the Sept. 11 tragedies, business continuity has emerged as a major theme at this year's Gartner conference. Gartner's panel of business continuity experts talked about how businesses must reconsider locating executives, staff, as well as IT systems and departments to multiple locations.

Go to TOP