When I started investigating the Health Insurance Portability and Accountability Act (HIPAA), I was intrigued; HIPAA seemed to be one of the first real steps in the right direction. But anyone who's worked with the regulations will tell you: HIPAA has ruffled feathers. Its scope will touch organizations both large and small, and a number of deep-rooted problems will need fixing. Of course, if pain proves profitable, you'll find businesses there to capitalize on it. Over the past 12 months I've been bombarded by news releases rambling on about HIPAA offerings: compliancy checks, audits, industry-expert availability and a variety of other HIPAA-related services. Accounting firms, consulting houses and other vendors are all looking to get a piece of the chaos, uh, I mean, action ... and the foul stench of FUD is in the air.
Although I welcome much of what HIPAA is attempting, there's one major point the sales and marketing pimp squads continue to ignore: Many of the proposed "standards" haven't been ratified yet. Of the seven sections that comprise the "Administrative Simplification" portion (which affects IT heavily), only two standards have achieved "final rule" status. More comical is the lack of people who have read the drafts -- many "experts" haven't even read word one.
But let's not jump ahead. Let's start with the basics. Security professionals who have read the document(s) immediately discovered the blaringly obvious: Many of the proposed ideas aren't rocket science. Hell, they're not even particularly new concepts. While I don't claim to be a HIPAA expert (nor do I ever want to be), my own perusals have yielded the following: Much of what the HIPAA Administrative Simplification rules propose are reiterations of information security best practices, including information access control, security testing, documentation, backup and disaster-recovery planning, virus checking, termination procedures, encryption and authentication, and the list goes on. As any good security officer will tell you, organizations should be covering these areas with or without HIPAA.
How soon will HIPAA take hold? If the health-care behemoths get their way, the same administration that told the EU its privacy standards are "incompatible with real-world operations" (see article) will be blasting holes in HIPAA and proposed time lines. But don't hang out waiting to see what happens on Capitol Hill; get your infosec act together regardless. Besides taking care of the little things -- like protecting patient records -- organizations should be preparing for future regulations, whether they come down now or 20 years from now. The 5,000 patient records lifted from University of Washington's medical center earlier this year were only the tip of the iceberg.
If you're a health-care-related organization, form a good idea of where your organization's information security program is today. Do yourself and your clients a favor and read the rulings, evaluate the vendors and start with the basics. Organizations with effective information security programs might find HIPAA alignment a bit bumpy, but they'll pull through. Organizations operating in "information-security-abyss mode" are not only being irresponsible, they'll be ravaged if and when HIPAA takes hold.
Finally, to our European readers: Please accept my apology on behalf of those who have a clue regarding our pathetic approach to privacy. We've saddled ourselves with an administration that just doesn't "get it." And while we should take responsibility for putting that administration in office, well, hell, we're not even sure we did.
Send your comments on this column to Greg Shipley at gshipley@neohapsis.com.
REPORTS
ANALYTICS
Follow 
