informa
/
Attacks/Breaches
News

Hospitals Go Under the Microscope

Upcoming security audits could cause ripples across the HIPAA compliance pond

5:00 PM -- Healthcare is changing. No, your drug prescriptions won't cost you less, and yes, the draconian nurse is still going to lack a sense of humor. But hidden behind the scenes are regulatory changes that could spell a lot of additional spending to beef up compliance on the healthcare front.

The Center for Medicare and Medicaid Services has begun spending millions of dollars in a year-long contract to have PricewaterhouseCoopers International perform a series of HIPAA compliance reviews against hospitals that have had privacy complaints filed against them over the last several years. The HIPAA compliance deadline for most hospitals was the middle of 2005, giving hospitals plenty of time to get their act in order.

But PwC won't be auditing all of the entities against whom complaints have been filed -- in fact, only 10 or 20 out of about 200 will get the compliance audit. As a person who visits the doctor precisely once every 15 years, I'm not particularly worried about myself. But it's easy to see why someone who visits hospitals regularly would want a better assurance of privacy.

It's unclear what the penalties will be for hospitals that fail the audit, but portions of HIPAA do include potential jail time for failure to comply. That's a big stick. Since healthcare is already a hot topic of debate as election time draws closer, it will be interesting to see how this issue affects spending over the next several years.

Focusing on healthcare security is not unreasonable, given the frequent media reports of breaches and the incredible damage to people's privacy and safety that can ensue. Imagine if the whole world knew you were deathly allergic to peanuts. It's not hard to hatch what Bruce Schneier calls a "movie plot scenario" where your worst enemy finds this fatal flaw after hacking into your hospital records.

While such scenarios may not seem likely, other records -- including your billing information -- could be of far greater value to a random attacker. It will be interesting to see what happens over the next few years, as purse strings loosen in order to tighten up healthcare compliance.

– RSnake is a red-blooded lumberjack whose rants can also be found at Ha.ckers and F*the.net. Special to Dark Reading

Recommended Reading:
Editors' Choice
Kirsten Powell, Senior Manager for Security & Risk Management at Adobe
Joshua Goldfarb, Director of Product Management at F5