Prioritization for Healthcare Executives

Many IT folks know that regardless of their respective fields the “unofficial” eighth and ninth layers of the OSI model are budget and politics.  Healthcare is no different, and some may argue that healthcare has more stringent competition within the “budget” layer.  With limited funds and many demands, organizations are faced with balancing all needs stemming from internal and external pressures.  As a result some sought after security products get delayed or outright shelved until the next fiscal year when it can compete again. Short of a divining rod or a scrying pool, it’s difficult to know what the top pressures or concerns may be.  Luckily groups like the Managed Care Executive Group (MCEG) publish their Top 10 issues collected from healthcare leaders across the country.  Not surprisingly many elements on the list discuss points of fiscal sustainability as it relates to funding from sources such as Medicare and Medicaid, and why wouldn’t it?  If an organization isn’t able to make money then the security posture won’t matter soon enough. From a security perspective some interesting elements are found within number 7 – Health Information Exchanges.  It briefly hits on security where, “HIE’s, in many cases, are being launched under time pressures by relatively inexperienced and under-resourced groups, exposing a lot of data to misuse and/or errors.”  At number seven in the list of ten we finally get to potential PHI breach concerns.  Even so, it doesn’t outright mention HIPAA, HITECH, nor the Health and Human Services (HHS) Office of Civil Rights (OCR). With the OCR increasing enforcement of HIPAA and HITECH regulations and recent fines and penalties this year totaling over $5 million ($4.3 and $1 respectively), this is a little surprising.  Many agree that the OCR is finding its footing in enforcement and their momentum is only going to increase.  I don’t know a lot of organizations that can pay such fines and the corresponding costs of immediate internal corrective actions (let alone the Public Relations costs) without too much concern. How does this help the resource-strapped healthcare organization?  The actions that precipitated these fines weren’t ground-breaking hacks.  They were procedural issues that could have been addressed early and are all part of an environment that secures and protects patient privacy; the goal of HIPAA/HITECH and other requirements found in PCI. Looking at the details of the OCR issues and knowing those top concerns may help reprioritize security.  Even those in a resource-strained company can benefit by using the recent OCR actions and by focusing initially on non-product based solutions that are no-to-low cost (such as policies and procedural changes, staff training, etc) and thus the foundational elements of a sound security posture.  Once those are solidified it makes it easier for those shelved security products to get dusted off and receive the green light.  Resources: Managed Care Executive Group – https://www.mceg.net HHS Office of Civil Rights – https://www.hhs.gov/ocr/privacy/hipaa/news/index.html