Is the healthcare sector as a whole understanding the HIPAA security rules and why they are important?
I'm not seeing as much change as I first anticipated.
What are the biggest roadblocks?
One thing I try to help organizations understand is that privacy and security are not just a challenge for IT. This is something that affects the culture of the entire organization. If you don't have a security background in a provider organization, people are going to be missing the boat. Many of the security requirements are read-between-the-lines kind of material and no security background means you don't get the intent of the law. I was an IT person who thought I knew what security was until it hit me in the face. The concerns have to do with what skills the IT person has and where the person reports. A typical network admin doesn't have adequate scope of security knowledge and experience to run the whole security program. But they can learn. Also, if the ISO is buried within IT, they aren't typically going to have adequate clout within IT and especially outside IT. I recommend a dual reporting structure: (a.) to the CIO and (b.) to the CEO.
Specifically, how are hospitals doing?
Some get it and try hard to do the right thing. For many not-for-profit hospitals, however, the financial culture isn't geared toward security. Security is a tough sell. It's very common to go into a hospital and find no one has a security background beyond firewalls and antivirus. The security rule requires that organizations designate someone to focus on security. In many cases, that's just not happening. They point to someone who may be the best fit and say, "You're the security expert." Most hospitals struggle financially and are not inclined to invest in a security specialist. They hand it to someone in IT who may not be the best fit; someone who may not have organization-wide clout and respect needed to carry out the security program.
Where are you seeing successes?
I've seen progress in the basic areas of security administration, the gruntwork, reviewing and limiting access and trying to centralize controls. Most understand that's important. But it's hard to get your hands around it. You see a hodgepodge approach, which can be disastrous. Policies about access have been on the books a long time. Implementation and enforcement, keeping an audit trail, that's another monster.
HIPAA data security rules
HIPAA rules force health insurers to secure sensitive data: HIPAA is forcing a majority of health insurance companies ensure the security of sensitive data.
HIPAA security rules broken down: The HIPAA security requirements have been described by the Department of Health and Human Services, ArticSoft, HIPAAacademy.net and the Centers for Medicare & Medicaid Services (CMS).
HIPAA security rules essential to protect data, say experts. The HIPAA security rules force healthcare firms to protect sensitive healthcare information. The security rules could guard against identity theft and data security breaches, say IT pros and industry experts.
HIPAA security rules apply to firms with healthcare plans.Companies that offer healthcare plans are affected by the HIPAA security rules.
HIPAA security rules set hurdles for struggling hospitals: Struggling hospitals hand HIPAA responsibility to the IT department, which can cause problems, say experts.
HIPAA compliance officers explain hurdles, data security successes: HIPAA compliance officers share their problems and successes meeting the data security standards.
HIPAA causes data security problems for small businesses: Some doctors' offices and other small businesses are having trouble complying with HIPAA rules.
HIPAA security tools helpful for some firms: IT administrators explain the security tools they use to manage HIPAA security compliance.
What is the most important advice you have for those who struggle?
Understand upfront what an information security position entails. Understand the reporting structure you need in place. From a practical level you need IT, but it goes much beyond that. There has to be a dotted line straight to the CEO. A security officer needs direct access to the CEO. That sends a message to the rest of the workforce that this is serious. As to the first steps, I recommend appointing the ISO and get management backing. Then do a risk assessment. Then start developing policies, though keep in mind that policy development is ongoing. Policies should come before technology. Don't let the tail -- technology -- wag the dog. Don't go out and buy some technology before you know what your policy or position is. Technology should follow and support your policies. And it should be pretty obvious that policies should precede procedures and workforce training, too.