Site Menu

Healthcare Security Compliance

By Jim Hietala
Published 02/20/2009
HIPAA
Rating: Unrated

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com

View all articles by Jim Hietala

Healthcare security is in for changes in 2009...

There have been a number of recent developments affecting healthcare security and compliance.

One is a significant penalty levied against CVS by the FTC and DHHS- $2.25M. First, let's look at the compliance issue- CVS employees apparently disposed of sensitive data (PHI, credit card, and insurance information) by dumping it in the trash, where anyone could discover it. And here I thought dumpster diving was a lost art form.

Because this was a joint investigation, and because historically the FTC has been far more willing to impose stiff penalties that has DHHS/CMS, I think the serious penalty probably has more to do with the FTC's involvement, rather than any real shift in HIPAA compliance enforcement on the part of DHHS. As I previously blogged about here, DHHS is doing a handful of audits (<20) of large healthcare providers, which is a move towards getting more serious, but not a huge move, given there are ~5,000 hospitals in the US.

Another recent development in the healthcare security area is the HITRUST Alliance, which is comprised of a number of large healthcare providers. This organization has a laudable goal of building a "common security framework" for healthcare organizations. They have buy-in and involvement from CISO's at large HCO's. They are apparently making progress, as they have a launch event scheduled for 3/3/09. From the information available on the website, they are getting to a more detailed level than the HIPAA Security rule gets to, which is a good and welcome thing.

I wonder about adoption, given that this is not attached to any compliance regulation or enforcement. The healthcare industry has been famous for avoiding getting serious about security for a long time. Perhaps this will be picked up as something required for JCAHO accreditation, which is important to HCS's, or perhaps it will get referenced in new privacy and security standards that are mentioned in the recovery bill, as a future requirement to be addressed as part of a move towards electronic health records. Time will tell. Certainly, if the healthcare industry moves seriously towards EHR's, and linking of different provider's networks via regional/nation health information networks, security and privacy are BIG issues, and the current HIPAA Security and Privacy rules aren't sufficient.

Jim

Jim Hietala

Jim Hietala, CISSP, GSEC, is Research Director and a principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. He is also the Vice President, Security for The Open Group, where he manages all security and risk management programs and standards activities.

Jim has provided research and consulting services to organizations such as SANS, The Open Group, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several research whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, SC Magazine, and others.

An industry veteran, he has held leadership roles at ControlPath, Avail Networks, Alternative Technologies, eSoft, Qwest, Concentric Network, and Digital Pathways. He developed and launched the industry’s first remote access VPN service (Concentric RemoteLink) and encrypting ISDN router (at Network Express), and launched a compliance and risk management software start-up in the IT-GRC market.

He holds a B.S. in Marketing from Southern Illinois University.

Blog: www.compliancefocus.com

Twitter: http://twitter.com/jim_hietala

LinkedIn: http://www.linkedin.com/in/jimhietala

Blogging focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy

Jim can be reached at: jim@compliancefocus.com

View all articles by Jim Hietala