Risk
3/16/2012
11:03 AM
Connect Directly
RSS
E-Mail
50%
50%

Nobody Cares About HIPAA

Compliance is seen mainly as a costly inconvenience in many organizations.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Sometimes clarity comes out of the blue, including clarity about compliance issues. Recently I was meeting with a friend and business associate, Ben Drake. His company works with networking and data protection technology for a number of businesses.

I mentioned how some organizations with obvious Health Insurance Portability and Accountability Act (HIPAA) compliance issues seem uninterested in putting forth the effort to resolve them. Some won't even acknowledge they have issues. Ben shrugs and matter-of-factly says, "Nobody cares about HIPAA."

That took a minute to soak in, but I got his point. Knowing Ben, I knew his comment was not literal, it was for effect. But generally speaking, he has a strong point. In the greater scheme of many businesses, HIPAA (and other regulations) are commonly seen by management and staff as annoyances and as another meaningless expense.

Some organizations make only token efforts toward compliance, and those efforts are typically the least that can be done for the least cost. There is often an incomplete, one-time effort to "get compliant," but after that, nothing much more.

In Ericka Chickowski's recent article, "Healthcare Security Pros Need To Speak The Language Of Finance," Rick Kam pointed out healthcare security issues, "basically put the CFO and the CEO to sleep because they're talking compliance, talking costs, and talking about things that are not that interesting to these executives."

While there are exceptions, I think Ken's observation is THE reality for many organizations, even if no one will openly admit it. A common course of action by this type of leadership is usually one of three approaches: postpone, ignore, or delegate.

Postponement is easy to emotionally justify. "I'm very busy. I need to wait until I have time to really understand everything and not make a bad decision." The problem here is that security dangers don't care if you wait or not, they will continue to put the organization's information and reputation at risk.

Read the rest of this article on Dark Reading.

IT professionals can make tremendous progress on security initiatives using the HIPAA Security Rule for leverage. In our Security Via HIPAA Compliance report, we'll explain how. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
EMONTEIRO027
50%
50%
EMONTEIRO027,
User Rank: Apprentice
3/22/2012 | 2:05:17 AM
re: Nobody Cares About HIPAA
Of course people care about HIPAA. But then again you have to remember... just when they think they're compliant.. some new law or some modification is added to the existing one and then they have to go back and revamp whatever they have to meet the new rules.
Every health care provider's office I've ever walked in definitely cares though and they are not trying to get penalized.
LindaJoyAdams
50%
50%
LindaJoyAdams,
User Rank: Apprentice
3/18/2012 | 5:19:43 AM
re: Nobody Cares About HIPAA
Laws already existed against a breach of privacy by medical providers. And the govt contractors and govt agencies are not included in the HIPPAA protections. So the biggest breach of privacy by a doctor is when the claim is submitted to a govt financed but govt contractor run health plan. The acting Director of medicare , Dr. Berwick, wanted to get them under HIPPAA but was unable to do so. Govt contractors are given immunity from criminal wrong doings and they can;t be internally audited; yet not one in Congress will put back the laws that used to exist: commit a crime or violate laws- investigations and prosecutions can be done. And Internal audits as to how or what our public monies are being used for will be done. Why hire contract auditors if they can only see what the govt contractor wants them to see. All this law did was raise health care costs by increasing as real care of the patient dollars got spent on computer systems; which are now obsolete as we prepare for the ' cloud.' worse of all the new systems are really causing some problems. It is cross checking my drivers license number with when we first moved to this state and using that address instead of my current one.( We actually didn't move but 911 changed the address a few years ago; I even checked but we are paying property taxes on the same legal description) I had a doctor bill in collections before I'd received any notice from the health plan or a bill of what the co- pays were. Now how do I get this corrected when the State of OK driver's license bureau which is interlocked with Home land security isn't under HIPPAA and sharing incorrect info. My submission to correct this didn't take! Only thing I know what to do is go in and start all over with my driver's license renewal. My doctors provide more conscientious privacy than all these messed up govt agencies and their contractors and they are able to do this better without all these computer systems when so many are getting access to my personal info after the claim is filed. Why does Homeland security want or need to know my blood pressure and temperature and other medical info? Also once info is wrong inside the govt contractors; it can't get changed and that includes diagnostic coding which is being done inside the govt contractors to by pass their security protocols and get medicare to pay when others are the primaries, like my federal workers compensation. This can and has been deadly if the data base is used for a medical history. Congress had this study several years ago and nothing has been done to correct some basic problems in the current system. When this is done; its called theft by law which the contractors have been given congressional immunity from stealing the Medicare and even medicaid and other govt health plan monies from.Linda Joy Adams
ANON1241631011972
50%
50%
ANON1241631011972,
User Rank: Apprentice
3/16/2012 | 10:03:47 PM
re: Nobody Cares About HIPAA
I don't think this is an accurate assessment. With the high fines for breaches, we care about HIPAA. However, like Dodd-Frank, we are spending a huge chunk of our budget on compliance activities which provide no healthcare value and add to the cost of healthcare. Most of the so-called "breaches" have no consequence to the consumer because they involve media that was stolen for the value of the media and not for the exploitation of its PHI content. Notwithstanding the lack of actual damages, the insatiable enforcement agencies make the data loss worth millions of dollars to them. This hypocritical behavior on the part of the government (i.e.; pretending to want to reduce costs while, at the same time, driving costs up with every new regulation) is why people are jaded on this subject. Most of the regulations have no practical utility value in terms of "civil rights" protection. This is what makes people cynical about HIPAA.
rmanske53101
50%
50%
rmanske53101,
User Rank: Apprentice
3/16/2012 | 5:35:58 PM
re: Nobody Cares About HIPAA
I don't know who Ben Drake is, but as a source, he's an idiot and has no clue about HIPAA complinace at other companies. I've worked for major healthcare providers and payers alike, and everyone I know takes HIPAA compliance very seriously, in the from of time, resources and capital. Maybe a small doctors office doesn't care much for compliancy, but I can assure you, most in the healthcare industry have gone to great lenghts to be compliate with the regualtions.

To say it mildly, this artical is worthless and Ben Drake doesn't speak for the healthcare industy.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6117
Published: 2014-07-11
Dahua DVR 2.608.0000.0 and 2.608.GV00.0 allows remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

CVE-2014-0174
Published: 2014-07-11
Cumin (aka MRG Management Console), as used in Red Hat Enterprise MRG 2.5, does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for remote attackers to obtain potentially sensitive information via script access to this cookie.

CVE-2014-3485
Published: 2014-07-11
The REST API in the ovirt-engine in oVirt, as used in Red Hat Enterprise Virtualization (rhevm) 3.4, allows remote authenticated users to read arbitrary files and have other unspecified impact via unknown vectors, related to an XML External Entity (XXE) issue.

CVE-2014-3499
Published: 2014-07-11
Docker 1.0.0 uses world-readable and world-writable permissions on the management socket, which allows local users to gain privileges via unspecified vectors.

CVE-2014-3503
Published: 2014-07-11
Apache Syncope 1.1.x before 1.1.8 uses weak random values to generate passwords, which makes it easier for remote attackers to guess the password via a brute force attack.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Marilyn Cohodas and her guests look at the evolving nature of the relationship between CIO and CSO.