Monday, March 9, 2009

Hungry, Hungry, HIPAA

Over the last year we have seen a small surge in HIPAA assessments from our clients. The few years leading up to that were pretty darn quiet compared to the initial storm when the regulation first came out. So why is that? Well, it’s something we say over and over and that’s “no one does security unless they have to,” though there is some due diligence. But that’s all about to change.

With HIPAA, other than some initial work a long time ago, it wasn’t that scary until the audits started. And most of the work was done under some risk-based assessment that likely favored the business over security. Even so, statistically speaking, your organization isn’t likely to get ‘hit’ any time soon based on the number of audits being performed. In previous postings, we tried to make it easy for you and talked about using the NIST 800-66 framework.

Now despite all our efforts, the current administration – like them or not – realizes that HIPAA still needs more teeth. I don’t know about you, but the $100,000 HIPAA audit fine for an organization in Seattle was nearly laughable compared to the millions of dollars being levied for PCI. So of course your ‘risk assessment’ is going to say doing security isn’t worth it versus the costs given what we’ve seen to date. So we need to make it more painful, right? Make it so that you feel like you have to do it, right?

Buried within the American Recovery and Reinvestment Act of 2009 (ARRA) signed in February is the Health Information Technology for Economic and Clinical Health Act's (HITECH Act) – though this isn’t really high tech, go figure. This includes quite a few revisions to HIPAA such as increased coverage for non-entities. But the high impact area is mandatory breach notification and subsequent requirements. To enforce this, it is tied to increased penalties, fines and overall liability, and improved enforcement. Fines can reach $1.5M now. Civil lawsuits can now leverage HIPAA. And finally, there is an increase in audits.

So, do we have your attention now? It’s time for organizations to dust off their HIPAA compliance manuals from 5+ years ago and get some new, independent review on what the real risks are and using an accepted framework. It’s time for organizations to get risk assessments performed, like penetration tests that truly simulate breaches to see if it could really happen there. Failure to do some assessment/audit work prior to a CMS audit is likely going to result in fines and reactive security, or worse, a very expensive breach. It’s better that experts like SecureState find the problem than CMS or the hacker – and for a lot less.

No comments: