Page 34 - CDM-Cyber-Warnings-January-2014
P. 34
What HIPAA can learn from PCI-DSS “When you dance with the devil, you wait for the song to stop.” Barry the Baptist, in the 1999 movie Lock, Stock & Two Smoking Barrels. I am reminded of that line for all the healthcare organizations that accepted money from the federal government under the HIPAA HITECH Act of the American Reconstruction and Recovery Act of 2009. Add to that list the EMR/EHR software vendors, who were too happy to take that money by selling their products to healthcare organizations as the end-all-be-all for all of their HIPAA compliance headaches. Yet for all of the efforts to adopt electronic medical/health records systems, to comply with the “Meaningful Use” portion of the act, making a smooth conversion from ICD-9 to ICD-10 codes, and ensuring Business Associate compliance, many healthcare organizations are paying lip service to the Security Rule of the HITECH Act. They simply check off boxes on the HIPAA audit claiming compliance with anti-virus software and an off-the-shelf firewall. While this is obviously not the norm for the larger hospitals, it is standing operating procedure for thousands of clinics and small medical practices across the country. This makes them the low hanging fruit ripe to be picked by hackers and rogue insiders. In 2014 HIPAA will turn 18 years old, while PCI is only half that age. Yet for some reason, HIPAA is far behind the curve when it comes to the security of, storage, access, and sharing of data. The HIPAA Security Rule is stuck in 2003, while the threats from insiders and hackers working for organized crime are rapidly evolving and improving their techniques to evade detection. What are ICD-10 codes? They are the 10th revision of the International Statistical Classification of Diseases and Related Health Problems, a medical classification by the World Health Organization. To put it into plain English, under ICD-9, a patient would have sought care for an animal bite, and the attending physician would have written his notes as an animal bite. However, under ICD-10, the caregiver must classify in their notes what type of animal bite and how deep it penetrated. The extra sub-classifications are meant to control the disbursement of payments from insurers to healthcare practitioners. Being overly concerned with ICD-10 conversion and not enough on the security of corporate network and cloud systems hosting the billing software, is like a surgery team only paying attention to how many scalpels they have in preparation for a surgery, but not ensuring that the operating room is sterile and has restricted access. PCI-DSS is far from perfect; with some financial analysts recently calling it a failure. If we considered that the credit card industry has yet to replace magnetic stripes and signatures by adopting the global EMV (chip and pin) standard in the United States, then I completely agree that it is a failure. However I completely disagree that everything else it has successfully accomplished should be scrapped altogether, as some have suggested. If it was a complete + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *
