Security risks on the rise for 2014
Kroll's Senior Managing Director Alan Brill offered his thoughts about the special problems posed to the healthcare in the coming year.
Q: What's the biggest security challenge facing healthcare organizations in 2014?
A. Probably the biggest challenges will be keeping up with the requirements set by HIPAA/HITECH as HHS gains more experience through its OCR audit programs. We see that many organizations need to take some time to make sure that their policies and standards are in line with the specific wording called for in the final omnibus rule. This is a way of avoiding problems that are easily avoided. The second part is asking the question: "How do we know we are actually doing what we say we're doing in our policies and procedures?"
[See also: New HIPAA rule could change BAA talks.]
That's a question that the auditors will almost always ask, and to the extent you have a way of collecting the evidence that you're complying with your rules, not only will you be ready, but you will know you're operating in compliance with the rules.
It also looks like a lot of healthcare organizations still have a fair number of machines running Windows XP. With that operating system hitting end-of-life, it means that as of next April, there will be no more patches, not even for critical security problems. You don't want to be in that situation, so in the few months between now and then, you should be planning to evolve off of the XP platform. Start by making an inventory of all machines so that you know how much work you'll have to do.
Q: How does healthcare stack up to other industries when it comes to keeping data safe? Can it even be compared to other industries?
A: It's our experience at Kroll that one difference between healthcare and other industries is that patients and their families really expect PHI to be protected. That seems to be independent of the HIPAA and HITECH laws. We think this is one reason why healthcare organization boards of directors report that the threat of data breaches keep them up at night, and they are increasingly focusing on data security and privacy issues, and with HIPAA compliance.
Aside from the actual penalties, healthcare providers are acutely aware of the value of their reputations, built over decades in many cases. Protecting that reputational value is important, and board audit committees are looking to the risk managers, IT directors, compliance managers and similar specialists to help them sleep better at night.
Q: How does the new HIPAA Omnibus rule, with its increased penalties and broadened scope, change how healthcare organizations and their business associates should be thinking about patient data? Are enough organizations, on both the provider and the vendor sides, aware of the new rules, and the enforcement actions they could be facing in the event of a breach?
A: We are seeing that a lot of organizations' senior management are focusing on the risks associated with data security, privacy and data breaches, and they are looking to get some assurance that their standards, policies and procedures not only mirror the specific requirements of the final omnibus rule, and that they have 100 percent compliance from a policy and documentation standpoint, but that they are also doing what they are supposed to be doing.
If you have great policies but don't carry them out or enforce them, it's going to look bad if there's an incident that could have (and should have) been prevented, or if there's an audit and the auditors find that your standards just sit on a shelf and are never really implemented in practice.
I think its also fair to say that healthcare organizations are, or should be, reaching out to every single business associate to make sure that they are compliant as well. If there's a breach at a BA, you can't just point a finger at them and disclaim responsibility. So take the time to find out whether their threat assessments, security programs and privacy/breach notification policies are in line with both HIPAA/HITECH and your policies as well.