This article can also be found in the Premium Editorial Download "Information Security magazine: What's your biggest information security concern?."
Download it now to read this article plus other related content.
Without enforcement or financial incentives for compliance, HIPAA is toothless.
I recently had an enlightening meeting with some of the physicians at my organization. I originally called the meeting to discuss the upcoming deployment of RFID-based, single sign-on authentication tokens in their department. We were supposed to talk about how this technology was going to make accessing clinical data easier, make our electronic records more secure and provide better HIPAA compliance. It was supposed to be a win-win situation.
I was wrong.
As I began to explain the benefits of the technology, the head physician cut me off. He bluntly said he didn't believe HIPAA was important and that he would not follow any policies because he didn't believe anyone would indict a physician over a security violation. He said all of the physicians in his area shared their passwords, and sometimes one physician would remain logged in on all of the department's computers so everyone had access to applications.
I explained this action was a violation of company policy and that this behavior would have to change. As a result, I won't be winning any employee popularity contests in this department any time soon. Once again, I ask myself why I enjoy committing political suicide.
I know that most information security professionals face this type of situation every so often. However, the situation seems to be worse in healthcare. HIPAA is a law with no teeth, and
Infosecurity professionals in healthcare need real evidence of consequences for not being compliant if HIPAA is to be enforced as intended. The message we have been trying to convey to our companies has distorted into fear, uncertainty and doubt. We have been saying, "The sky is falling!" for almost three years, but there hasn't even been a cloud--there has not been a compelling monetary reason for the healthcare industry to adopt HIPAA security policies. The healthcare landscape has been rocky at best, with increasing costs and decreasing reimburse- ment, and companies are looking at every expense and trimming all but the most vital. Implementing HIPAA security can strain these already stretched resources.
These companies are making hard decisions--like offering a new surgical procedure or purchasing a network virus scanner. Medicare isn't going to increase its reimbursement rates because an organization has strong passwords. Add to this the lack of enforcement, and it is obvious why a 2005 survey by the Healthcare Information and Management Systems Society shows that only 43 percent of all healthcare providers are HIPAA security compliant.
I don't want to paint too dark a picture. Progress has been made and some healthcare providers have recognized that strong information security is part of offering good patient care. However, we will need a mixture of enforcement and financial incentives to ensure the security of electronic medical records, and to make HIPAA compliance commonplace throughout the industry instead of the exception.
This was first published in December 2006