From Issue 20
Earlier this year the health insurance company Anthem settled their 2015- reported data breach with Health and Human Services (HHS) for a record $16 million dollars. Equally shocking is the fact that the Anthem breach had begun in 2014, just months after being celebrated as becoming HITRUST certified.
HITRUST is an expensive healthcare compliance certification that tried unsuccessfully to
establish itself as the sole standard to measure HIPAA Security compliance. Luckily, HHS continues to not endorse any specific credentials or compliance framework, although the federal government still authors the NIST approach used by our company. Demonstrable Security Rule compliance to HHS is the standard to measure a program, but it’s not the only consideration for a CE and their ePHI.
Regardless of their organization’s size, a HIPAA security officer should be aware of the cybersecurity framework (CSF) elements employed to protect patient information. There are a handful of CSF (SANS, NIST, COBIT, etc.) and even a small organization can adopt the SANS CIS Critical Controls for Effective Cyber Defense. We realize that most HIPAA or
compliance officers aren’t necessarily CSF experts and that many may rely on in-house
information technology teams or contracted technology service providers, but our point is that a mature HIPAA security program includes actionable and routine traditional information security work based on a CSF.
The Security Rule’s required Risk Analysis citation aside, both compliance and security need to be viewed from the perspective of risk; specifically, the risk of unauthorized disclosure, of harm to a CE or BA reputation, of lost revenue and myriad other legal issues. But risk has to be managed by: accepting, transferring, avoiding or mitigating. Each term has specific technical meaning that needs to be well understood before considering.
It is our experience that many CE will better realize the Security Rule’s real value to healthcare by viewing their program from all three of these perspectives.