Self-Assessments for HIPAA are Just the Tip of the Iceberg
More Preparation is Required!
As we all know by now, the Office for Civil Rights (OCR) will be stepping up enforcement activities under their ongoing audit efforts by the end of 2014 and beyond. These audits will also include business associates that are now directly liable for the HIPAA/HITECH security/privacy regulations due to changes brought about by the finalization of the Omnibus Rule. Although it is appreciated to have some guidance such as the availability of the security risk self-assessment tools that the Office of the National Coordinator for Health Information Technology (ONC) has released to assist covered entities in their efforts to become compliant, these types of tools; however, are just the ‘Tip of the Iceberg’ in terms of ‘true’ security and privacy. In fact, the disclaimer at the bottom of the tool’s download page reinforces this opinion: “use of this tool is neither required by nor guarantees compliance with federal, state or local laws” and “the Security Risk Assessment Tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks.”
It never ceases to amaze that important privacy/security concerns, especially in the healthcare industry, are taken so lightly. The healthcare industry is way behind other industries when it comes to information security and privacy, but let’s face it, individuals give their physicians more personal information about themselves than their bankers. The healthcare industry has a responsibility and duty to protect this information. Unfortunately, healthcare organizations aren’t doing a good job at it and the service providers that assist these organizations probably don’t even realize what is required of them to secure this health information. Let’s not even get started on discussing health information exchanges and how every single person in the United States will eventually have their personal health information maintained in a database somewhere. The scariest part of it all is that these individuals, organizations, and providers may not even know where this data is or who will have access to this information.
Healthcare information is a valued commodity in the criminal underground. It is more coveted than even credit card information or other financial information. As the healthcare industry becomes more reliant on technology and paper records become digitized, there will be an increase of breaches to this information. Hackers only have to find one weak point, while the IT folks responsible for this data need to be accountable for all points along with providing the ability for the organization to continue operations. There is a fine balance that needs to be kept between functionality and security as technology becomes more interconnected.
So what can organizations do? Organizations need to look beyond just compliance and ‘check’ sheets. From this author’s experience, most healthcare organizations don’t have the security expertise ‘in-house’ to thoroughly perform or comprehensively evaluate their organization’s security posture. As a case in point, one of the requirements under the HIPAA Security Rule is to perform a technical evaluation. A checklist may have this evaluation as an item to complete, but how is the quality of the technical review being assessed? Are the IT folks who configure and maintain the systems also responsible for ‘testing’ these systems? Under any audit review, this would be considered a ‘conflict of interest’. There needs to be a separation of duties and independence when it comes to performing such a technical evaluation. An organization should consider hiring a professional expert that is experienced and qualified to perform these independent technical evaluations. IT folks should not be testing themselves.
Healthcare organizations need to fully understand how their policies/procedures are being implemented. Again, the ‘checklist’ may help in determining what policies/procedures are required, but how is the organization determining if they are actually being appropriately followed? Did the organization just purchase ‘pre-canned’ policy templates or did they actually work through these policies to make it ‘their own’?
Regulators don’t have the resources to ensure that covered entities and business associates are meeting the requirements. Short of receiving a complaint, falling victim to a breach, or being ‘randomly’ drawn from a large pool, the chances of an organization being audited by OCR is pretty low. Unfortunately, this system of enforcement is not going to be enough to assure individuals that their healthcare information is private and secure. To build trust within the industry, more work needs to be done. Taking a look at other industries that are heavily regulated, in the financial industry, there is a requirement to perform certain independent assessments. These financial organizations are required to submit these reports to auditors/regulators on a regular basis for validations. When will OCR require covered entities (and business associates) to provide such proof of compliance as opposed to just accepting these organization’s ‘words’ that they are doing what they are supposed to?
Until the healthcare industry ‘fast forwards’ about 20 years in terms of information security and we move beyond just meeting the minimum standard of compliance, individuals’ personal health information is going to be a prime target for criminals.
About the Author: John “Jay” Trinckes, Jr., CISSP, CISM, CRISC – President/CEO of Eagle Trace Security Consulting, Inc and author of “The Definitive Guide to Complying with the HIPAA/HITECH Privacy and Security Rules”. Jay is an industry thought leader and subject matter expert in the area of information security and HIPAA compliance.