Page 36 - CDM-Cyber-Warnings-January-2014
P. 36
In its current form, the HIPAA Omnibus Rule leaves the door open for technology vendors to help the CEs and BAs decide on what will satisfy the Security Rule based on the products they sell. Following a single vendor for advice on satisfying regulatory compliance will potentially create incompatible silos thereby defeating a patient’s ability to have portable access to their medical records. This is also is a major difference between HIPAA and PCI. By not holding the smaller clinics and rural practitioners to the same security standards as larger hospitals and urban clinics is a major disservice to the patients, who will become the ultimate victims in the event of a breach. The PCI Security Council has learned from the mistakes of the community, numerous breaches and security experts that unique logins paired with static passwords are an obsolete and insecure method of protecting cardholder data. HIPAA’s demand that passwords be changed every 60 days creates an illusion of security. All healthcare providers, large and small, use the same type of computer equipment to connect to the Internet to transmit and store data. Hackers and rogue insiders target the less secure computer systems—the path of least resistance—to gain access to the data. Why try to break into Fort Knox and take a chance on getting shot and caught, when it’s much easier to go into smaller banks where they’re not as heavily guarded? The state of Massachusetts enacted 201 CMR 17.00 in 2010, requiring every organization that stores P.I.I. (Personally Identifiable Information) to encrypt the data or face severe penalties. The custodian of the data does not have to be based in Massachusetts for the law to apply to them; it applies so long as they house data on a single—that’s right, one—resident of that state. HIPAA does not mandate encryption. Instead, it labels it as an “addressable” requirement. PCI- DSS demands that cardholder data be encrypted, no ifs ands or buts about it; so why isn’t PHI subject to the same requirements under HIPAA? With the evolving threat of cyber attacks gaining momentum, is the current form of the HIPAA Security Rule strong enough to protect patient data from similar cyber attacks? I believe that the latest revision of PCI-DSS is a strong benchmark. While it’s too soon to speculate on what security controls failed at the three large retailers and the ongoing investigation by law enforcement, I would venture a guess that had they implemented all of the controls of PCI-DSS version 3.0 ahead of the of the January 2015 deadline, the breaches could have been identified early and mitigated or even prevented. The best way to address the challenges of HIPAA for CEs and BAs is to demystify the technical, procedural and training mandates that apply. This can be done by simply focusing on physical security, people security, data security, infrastructure security and crisis management as recommended in industry agnostic plain English frameworks such as the 5 pillars of Security Framework (TM). *(Again this is my biased recommendation) On a final note, many healthcare organizations (CEs) accept credit cards from insured patients making co-payments and uninsured patients for full payments, so they must comply with PCI- DSS as well. A good starting point to map PCI controls to HIPAA would be to utilize the ISO 27000 series to address both frameworks from a security perspective rather than a purely + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *
