February 20, 2009 - Volume 4, #18

I M HIPAA: Hear me roar!!!

Good Morning:
Through the years, I've been pretty vocal about the fact that HIPAA has become a joke. A toothless tiger, if you will. I literally had discussions with healthcare security folks who's organizations made the decision to risk the limited HIPAA fines, rather than put the proper security controls in place to meet the spirit of the legislation.

Don't mess with this kitty... The good news is that I wasn't the only one jumping on HIPAA. The Office of the Inspector General (OIG) got about two knuckles deep into the eyes of HHS (Dept of Health and Human Services) calling them out about the lack of enforcement relative to HIPAA.

Evidently the folks at HHS were listening and what they needed was a nice, costly public execution to prove to folks that they mean business. It looks like they got one, fining CVS $2 million for privacy violations in 2006 [1]. It seems that some of the pharmacists would just toss bottles with labels on them containing names and details of the medications. Obviously that's a no-no.

Even better is that CVS addressed the problems back in 2006 and they still got tagged with a big fine. OK, not big for a multi-billion dollar operation like CVS, but big enough to get the attention of lots of other organizations that probably have had similar transgressions.

And it gets even better, check out this quote from the SearchSecurity article [2]:

Lax enforcement may be changing. President Barack Obama's stimulus package signed into law on Tuesday included new rules significantly expanding HIPAA. The rules govern the privacy and security of medical records for healthcare organizations and now their so-called business associates. The new rules include a breach notification law, forcing healthcare providers to notify individuals publicly if more than 500 people are impacted by a breach. Stricter enforcement and penalties are also outlined in the law. It authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA.

That is just outstanding, especially the part about allowing State AGs to bring civil actions against individuals. Lord knows an Attorney General never met a law suit (especially if it shows how his/her citizens have been wronged) they didn't like, especially when it comes with lots of PR coverage.

So what does that mean for us practitioners? Basically, if you are in the healthcare business, your HIPAA vacation is over. I suspect there will be a number of other public executions to show that the new HHS regime means business, especially with the explicit direction from the Obama administration to push forward with electronic medical records.

It's time to revisit the training procedures relative to making sure your employees understand how to handle private data. It also probably makes sense to look at that DLP technology (even if it's poor man's DLP built into email and web security gateways) and possibly NetFlow analysis/data to see if there are strange network flows indicating information leakage. If you've been trying to get a project funded, this kind of data point will be pretty useful (remember about Selling Fear [3]?).

Finally get ready for the HIPAA FUD bonanza coming from the vendors. All 800 vendors left will be frantically figuring out how to renew their pitch around HIPAA compliance for the healthcare space. Once again, the regulatory Gods are shining their warm lights down on the information security business.

Have a great weekend.

Photo credits: “Tiger face portrait in a square” originally uploaded by GavinBell [4]

Technorati: Information Security [5], CSO [6], Security Mike [7], Internet Security [8]

[9]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [10]