I M HIPAA: Hear me roar!

Submitted by Mike Rothman on Fri, 2009-02-20 10:42.
::
Today's Daily Incite

February 20, 2009 - Volume 4, #18

I M HIPAA: Hear me roar!!!

Good Morning:
Through the years, I've been pretty vocal about the fact that HIPAA has become a joke. A toothless tiger, if you will. I literally had discussions with healthcare security folks who's organizations made the decision to risk the limited HIPAA fines, rather than put the proper security controls in place to meet the spirit of the legislation.

Don't mess with this kitty...The good news is that I wasn't the only one jumping on HIPAA. The Office of the Inspector General (OIG) got about two knuckles deep into the eyes of HHS (Dept of Health and Human Services) calling them out about the lack of enforcement relative to HIPAA.

Evidently the folks at HHS were listening and what they needed was a nice, costly public execution to prove to folks that they mean business. It looks like they got one, fining CVS $2 million for privacy violations in 2006. It seems that some of the pharmacists would just toss bottles with labels on them containing names and details of the medications. Obviously that's a no-no.

Even better is that CVS addressed the problems back in 2006 and they still got tagged with a big fine. OK, not big for a multi-billion dollar operation like CVS, but big enough to get the attention of lots of other organizations that probably have had similar transgressions.

And it gets even better, check out this quote from the SearchSecurity article:

Lax enforcement may be changing. President Barack Obama's stimulus package signed into law on Tuesday included new rules significantly expanding HIPAA. The rules govern the privacy and security of medical records for healthcare organizations and now their so-called business associates. The new rules include a breach notification law, forcing healthcare providers to notify individuals publicly if more than 500 people are impacted by a breach. Stricter enforcement and penalties are also outlined in the law. It authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA.

That is just outstanding, especially the part about allowing State AGs to bring civil actions against individuals. Lord knows an Attorney General never met a law suit (especially if it shows how his/her citizens have been wronged) they didn't like, especially when it comes with lots of PR coverage.

So what does that mean for us practitioners? Basically, if you are in the healthcare business, your HIPAA vacation is over. I suspect there will be a number of other public executions to show that the new HHS regime means business, especially with the explicit direction from the Obama administration to push forward with electronic medical records.

It's time to revisit the training procedures relative to making sure your employees understand how to handle private data. It also probably makes sense to look at that DLP technology (even if it's poor man's DLP built into email and web security gateways) and possibly NetFlow analysis/data to see if there are strange network flows indicating information leakage. If you've been trying to get a project funded, this kind of data point will be pretty useful (remember about Selling Fear?).

Finally get ready for the HIPAA FUD bonanza coming from the vendors. All 800 vendors left will be frantically figuring out how to renew their pitch around HIPAA compliance for the healthcare space. Once again, the regulatory Gods are shining their warm lights down on the information security business.

Have a great weekend.

Photo credits: “Tiger face portrait in a square” originally uploaded by GavinBell 

Technorati: , , ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com



Yes and No
Submitted by Joe Franscella (not verified) on Fri, 2009-02-20 12:17.
There is one case when HIPAA has a powerful grip. Those of you with teenagers may know all too well that big health care organizations like Kaiser flat out refuse to provide you with any information regarding your kids, after they've hit 13, unless that kid provides written and verbal permission.
HIPAA enforcement
Submitted by Jim Hietala (not verified) on Fri, 2009-02-20 13:59.

I'm not sure that this one enforcement action signals a shift towards real HIPAA compliance...I think the FTC had more to do with the size of the judgement than DHHS did. I also don't think it means that there will be a rush from vendors towards the healthcare market- the "breach" had nothing to do with technical security controls, as far as I can tell. More to do with process/administrative control failure. There are some other developments in healthcare IT security, and I blogged about this here today myself-

http://www.compliancefocus.com/

Jim

HIPAA
Submitted by Neil Roiter (not verified) on Mon, 2009-03-02 15:36.

The vendor FUD is starting--SearchSecurity got this briefing request from DLP vendor Code Green. They don't mention HIPAA directly, but it's not coincidental. Clearly they jsut tweaked out some of their core product for this:

 

"At a time when the US healthcare industry is moving quickly toward electronic records, security is a bigger concern than ever. On March 9, Code Green Networks www.codegreennetworks.com will announce a new data loss prevention solution tailored specifically for hospitals, clinics, and other provider organizations. Featuring easy setup and configuration via industry-specific data inspection libraries, the new Code Green solution allows organizations to discover and address potential security leaks within minutes of setting up the solution."

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.