Page 39 - CDM-Cyber-Warnings-January-2014
P. 39
LEO: The breach notification rule; due to its broad based approach, even minor “possible” breaches will have to be reported due to the reporting time constraints. Gerry Blass summarized all of the questions by stating the following: The technical safeguard requirements for PCI seem to be more black and white than for HIPAA and Meaningful Use. The PCI rule is focused on specific standard credit card transactions and it seems logical that an across the board standard can be achieved. HIPAA Security, on the other hand, applies to many variables in terms of standards and implementation specifications and organizational complexities. So HIPAA covered entities are able to demonstrate due diligence by conducting a risk assessment followed by a process for ongoing risk mitigation. The HITECH Omnibus rule has made encryption mandatory for vulnerable electronic protected health information (ePHI) due to the large number of breaches that have occurred mainly due to loss or theft of laptops, flash drives, etc. So the requirement to encrypt vulnerable ePHI is no longer a risk decision. High risk is assumed and anything less than encryption is basically willful neglect at this point. And with that comes large penalties and potential lawsuits. Gerry goes on to state that another area that should become more black and white in the HIPAA Security Rule is the technical safeguard for user authentication. For most healthcare software applications, the safeguard is still usernames and passwords, and the passwords are normally force changed periodically. We should eventually see a more stringent requirement for multi factor authentication to match what PCI now requires. We are certain that the technical safeguards that will be in place for healthcare applications and networks 5 - 10 years from now will continue evolve to be stronger and required in order to properly protect unauthorized access. All of the above also applies to the Meaningful Use Rule for the information Security Risk Assessment measure since it refers to the HIPAA rule. My final thought on these answers is that I hope it doesn’t take 5 to 10 years for the HIPAA Security Rule to evolve and adapt, but I’m not going to hold my breath. I’m afraid that it will be the result of several high profile breaches on the same scale as the recent Target Corp attack to get the healthcare industry to change course, or it might take an act of congress. About The Author Peter Simon is an Information Security Evangelist and IT security solutions architect. He founded OneForce Technologies in 2007 with the vision of bringing enterprise class data breach prevention solutions to small and medium sized business without the associated price tag. OneForce Technologies also helps companies of all sizes demystify security by delivering training solutions to address the various regulatory compliance requirements for data security. Peter has also written "The Dangers of Spies on Your Keyboard" in the September issue of Cyber Warnings e-Magazine. + % %! ! & , ! . !( %+ ' "! "#+% ' - + % !& , ! % '& % & %) *"% *