Is the healthcare sector as a whole understanding the HIPAA security rules and why they are important?
I'm not seeing as much change as I first anticipated.
What are the biggest roadblocks?
One thing I try to help organizations understand is that privacy and security are not just a challenge for IT. This is something that affects the culture of the entire organization. If you don't have a security background in a provider organization, people are going to be missing the boat. Many of the security requirements are read-between-the-lines kind of material and no security background means you don't get the intent of the law. I was an IT person who thought I knew what security was until it hit me in the face. The concerns have to do with what skills the IT person has and where the person reports. A typical network admin doesn't have adequate scope of security knowledge and experience to run the whole security program. But they can learn. Also, if the ISO is buried within IT, they aren't typically going to have adequate clout within IT and especially outside IT. I recommend a dual reporting structure: (a.) to the CIO and (b.) to the CEO.
Specifically, how are hospitals doing?
Some get it and try hard to do the right thing. For many not-for-profit hospitals, however, the financial culture isn't geared toward security. Security is a tough sell. It's very common to go into a hospital and find no one has a security background beyond firewalls and antivirus. The security rule requires that organizations designate someone to focus on security. In many cases, that's just not happening. They point to someone who may be the best fit and say, "You're the security expert." Most hospitals struggle financially and are not inclined to invest in a security specialist. They hand it to someone in IT who may not be the best fit; someone who may not have organization-wide clout and respect needed to carry out the security program.
Where are you seeing successes?
I've seen progress in the basic areas of security administration, the gruntwork, reviewing and limiting access and trying to centralize controls. Most understand that's important. But it's hard to get your hands around it. You see a hodgepodge approach, which can be disastrous. Policies about access have been on the books a long time. Implementation and enforcement, keeping an audit trail, that's another monster.
What is the most important advice you have for those who struggle?
Understand upfront what an information security position entails. Understand the reporting structure you need in place. From a practical level you need IT, but it goes much beyond that. There has to be a dotted line straight to the CEO. A security officer needs direct access to the CEO. That sends a message to the rest of the workforce that this is serious. As to the first steps, I recommend appointing the ISO and get management backing. Then do a risk assessment. Then start developing policies, though keep in mind that policy development is ongoing. Policies should come before technology. Don't let the tail -- technology -- wag the dog. Don't go out and buy some technology before you know what your policy or position is. Technology should follow and support your policies. And it should be pretty obvious that policies should precede procedures and workforce training, too.