A great challenge with gaining massive industry adoption of a set of standards – regardless of security, privacy, or operational effectiveness measures is making it worthwhile. Some aspects of regulation and industry led practices are obvious and clear. Others are strikingly similar (duplication in many instances) and can be adopted simply by communication and adjustments. Unfortunately there are specific requirements that are not sufficient alone as self-evident, and these are then made necessary through fines and punitive actions.
HIPAA / HITECH components are absolutely valuable to the consumer, the individual enterprise, and the industry as a whole. This is true when the directives are merged into the existing culture, and the business is able to remain competitive. There are challenges of course when a business tries to bolt-on a set of requirements, as these are seldom done efficiently, effectively, and are generally unsustainable.
The financial damage to industry is clear – the most recent studies show over the past 5 years data breaches have cost victims $139 billion (Digital Forensics Association). In addition there is a growing trend of enforcement by state and the federal agencies, such as the California DPH actions (audio teleconference file).
When these enforcements are released though there is always valuable intelligence released highlighting what is expected – today. This perspective reinforces that security mandates’ intent are to secure the data, and businesses must shift and respond as the attack vector shifts and evolves. The recent Rite Aid $1,000,000 penalty enforced by the OCR and FTC provided the following direction:
- Implementation of complete and sufficient Policies and Procedures is critical – specifically must include safeguarding PHI during the disposal process (dumpsters, shredding, disk wipe management, third party terminations)
- Develop complete training related to all aspects for protection of sensitive information – job specific training
- Develop, implement, and maintain sanctions policies
A nice article regarding Rite Aid is available here from Information Week.
As has been consistent with prior Federal enforcement, a 20 year expectation of independent security assessments is required with sufficient monitoring and triggering. Here is the link to the Federal press release. Other case examples and resolutions are available here.
As the data suggests that 395,000 individuals’ data files are being stolen daily, this is not a focus on the Healthcare sector but to provide lessons learned from others.