Many IT folks know that regardless of their respective fields the “unofficial” eighth and ninth layers of the OSI model are budget and politics. Healthcare is no different, and some may argue that healthcare has more stringent competition within the “budget” layer. With limited funds and many demands, organizations are faced with balancing all needs stemming from internal and external pressures. As a result some sought after security products get delayed or outright shelved until the next fiscal year when it can compete again. Short of a divining rod or a scrying pool, it’s difficult to know what the top pressures or concerns may be. Luckily groups like the Managed Care Executive Group (MCEG) publish their Top 10 issues collected from healthcare leaders across the country. Not surprisingly many elements on the list discuss points of fiscal sustainability as it relates to funding from sources such as Medicare and Medicaid, and why wouldn’t it? If an organization isn’t able to make money then the security posture won’t matter soon enough. From a security perspective some interesting elements are found within number 7 – Health Information Exchanges. It briefly hits on security where, “HIE’s, in many cases, are being launched under time pressures by relatively inexperienced and under-resourced groups, exposing a lot of data to misuse and/or errors.” At number seven in the list of ten we finally get to potential PHI breach concerns. Even so, it doesn’t outright mention HIPAA, HITECH, nor the Health and Human Services (HHS) Office of Civil Rights (OCR). With the OCR increasing enforcement of HIPAA and HITECH regulations and recent fines and penalties this year totaling over $5 million ($4.3 and $1 respectively), this is a little surprising. Many agree that the OCR is finding its footing in enforcement and their momentum is only going to increase. I don’t know a lot of organizations that can pay such fines and the corresponding costs of immediate internal corrective actions (let alone the Public Relations costs) without too much concern. How does this help the resource-strapped healthcare organization? The actions that precipitated these fines weren’t ground-breaking hacks. They were procedural issues that could have been addressed early and are all part of an environment that secures and protects patient privacy; the goal of HIPAA/HITECH and other requirements found in PCI. Looking at the details of the OCR issues and knowing those top concerns may help reprioritize security. Even those in a resource-strained company can benefit by using the recent OCR actions and by focusing initially on non-product based solutions that are no-to-low cost (such as policies and procedural changes, staff training, etc) and thus the foundational elements of a sound security posture. Once those are solidified it makes it easier for those shelved security products to get dusted off and receive the green light. Resources: Managed Care Executive Group – https://www.mceg.net HHS Office of Civil Rights – https://www.hhs.gov/ocr/privacy/hipaa/news/index.html
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
YouTube session cookie.
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Discover why security operations teams choose NetSPI.