Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Database Security
Authentication
Mobile
Privacy
Compliance
Careers and People
Identity & Access Management
Security Monitoring
Advanced Threats
Insider Threats
Vulnerability Management

Risk

Nobody Cares About HIPAA

Compliance is seen mainly as a costly inconvenience in many organizations.

Health Data Security: Tips And Tools
Health Data Security: Tips And Tools
(click image for larger view and for slideshow)
Sometimes clarity comes out of the blue, including clarity about compliance issues. Recently I was meeting with a friend and business associate, Ben Drake. His company works with networking and data protection technology for a number of businesses.

I mentioned how some organizations with obvious Health Insurance Portability and Accountability Act (HIPAA) compliance issues seem uninterested in putting forth the effort to resolve them. Some won't even acknowledge they have issues. Ben shrugs and matter-of-factly says, "Nobody cares about HIPAA."

That took a minute to soak in, but I got his point. Knowing Ben, I knew his comment was not literal, it was for effect. But generally speaking, he has a strong point. In the greater scheme of many businesses, HIPAA (and other regulations) are commonly seen by management and staff as annoyances and as another meaningless expense.

Some organizations make only token efforts toward compliance, and those efforts are typically the least that can be done for the least cost. There is often an incomplete, one-time effort to "get compliant," but after that, nothing much more.

In Ericka Chickowski's recent article, "Healthcare Security Pros Need To Speak The Language Of Finance," Rick Kam pointed out healthcare security issues, "basically put the CFO and the CEO to sleep because they're talking compliance, talking costs, and talking about things that are not that interesting to these executives."

While there are exceptions, I think Ken's observation is THE reality for many organizations, even if no one will openly admit it. A common course of action by this type of leadership is usually one of three approaches: postpone, ignore, or delegate.

Postponement is easy to emotionally justify. "I'm very busy. I need to wait until I have time to really understand everything and not make a bad decision." The problem here is that security dangers don't care if you wait or not, they will continue to put the organization's information and reputation at risk.

Read the rest of this article on Dark Reading.

IT professionals can make tremendous progress on security initiatives using the HIPAA Security Rule for leverage. In our Security Via HIPAA Compliance report, we'll explain how. (Free registration required.)

Comment  | 
Print  | 
More Insights
Webcasts
More Webcasts
White Papers
More White Papers
Reports
More Reports
//Comments
Oldest First  |  Newest First  |  Threaded View
rmanske53101
rmanske53101,
 User Rank: Apprentice
3/16/2012 | 5:35:58 PM
re: Nobody Cares About HIPAA
I don't know who Ben Drake is, but as a source, he's an idiot and has no clue about HIPAA complinace at other companies. I've worked for major healthcare providers and payers alike, and everyone I know takes HIPAA compliance very seriously, in the from of time, resources and capital. Maybe a small doctors office doesn't care much for compliancy, but I can assure you, most in the healthcare industry have gone to great lenghts to be compliate with the regualtions.

To say it mildly, this artical is worthless and Ben Drake doesn't speak for the healthcare industy.
ANON1241631011972
ANON1241631011972,
 User Rank: Apprentice
3/16/2012 | 10:03:47 PM
re: Nobody Cares About HIPAA
I don't think this is an accurate assessment. With the high fines for breaches, we care about HIPAA. However, like Dodd-Frank, we are spending a huge chunk of our budget on compliance activities which provide no healthcare value and add to the cost of healthcare. Most of the so-called "breaches" have no consequence to the consumer because they involve media that was stolen for the value of the media and not for the exploitation of its PHI content. Notwithstanding the lack of actual damages, the insatiable enforcement agencies make the data loss worth millions of dollars to them. This hypocritical behavior on the part of the government (i.e.; pretending to want to reduce costs while, at the same time, driving costs up with every new regulation) is why people are jaded on this subject. Most of the regulations have no practical utility value in terms of "civil rights" protection. This is what makes people cynical about HIPAA.
LindaJoyAdams
LindaJoyAdams,
 User Rank: Apprentice
3/18/2012 | 5:19:43 AM
re: Nobody Cares About HIPAA
Laws already existed against a breach of privacy by medical providers. And the govt contractors and govt agencies are not included in the HIPPAA protections. So the biggest breach of privacy by a doctor is when the claim is submitted to a govt financed but govt contractor run health plan. The acting Director of medicare , Dr. Berwick, wanted to get them under HIPPAA but was unable to do so. Govt contractors are given immunity from criminal wrong doings and they can;t be internally audited; yet not one in Congress will put back the laws that used to exist: commit a crime or violate laws- investigations and prosecutions can be done. And Internal audits as to how or what our public monies are being used for will be done. Why hire contract auditors if they can only see what the govt contractor wants them to see. All this law did was raise health care costs by increasing as real care of the patient dollars got spent on computer systems; which are now obsolete as we prepare for the ' cloud.' worse of all the new systems are really causing some problems. It is cross checking my drivers license number with when we first moved to this state and using that address instead of my current one.( We actually didn't move but 911 changed the address a few years ago; I even checked but we are paying property taxes on the same legal description) I had a doctor bill in collections before I'd received any notice from the health plan or a bill of what the co- pays were. Now how do I get this corrected when the State of OK driver's license bureau which is interlocked with Home land security isn't under HIPPAA and sharing incorrect info. My submission to correct this didn't take! Only thing I know what to do is go in and start all over with my driver's license renewal. My doctors provide more conscientious privacy than all these messed up govt agencies and their contractors and they are able to do this better without all these computer systems when so many are getting access to my personal info after the claim is filed. Why does Homeland security want or need to know my blood pressure and temperature and other medical info? Also once info is wrong inside the govt contractors; it can't get changed and that includes diagnostic coding which is being done inside the govt contractors to by pass their security protocols and get medicare to pay when others are the primaries, like my federal workers compensation. This can and has been deadly if the data base is used for a medical history. Congress had this study several years ago and nothing has been done to correct some basic problems in the current system. When this is done; its called theft by law which the contractors have been given congressional immunity from stealing the Medicare and even medicaid and other govt health plan monies from.Linda Joy Adams
EMONTEIRO027
EMONTEIRO027,
 User Rank: Apprentice
3/22/2012 | 2:05:17 AM
re: Nobody Cares About HIPAA
Of course people care about HIPAA. But then again you have to remember... just when they think they're compliant.. some new law or some modification is added to the existing one and then they have to go back and revamp whatever they have to meet the new rules.
Every health care provider's office I've ever walked in definitely cares though and they are not trying to get penalized.
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The 10 Most Impactful Types of Vulnerabilities for Enterprises Today
Managing system vulnerabilities is one of the old est - and most frustrating - security challenges that enterprise defenders face. Every software application and hardware device ships with intrinsic flaws - flaws that, if critical enough, attackers can exploit from anywhere in the world. It's crucial that defenders take stock of what areas of the tech stack have the most emerging, and critical, vulnerabilities they must manage. It's not just zero day vulnerabilities. Consider that CISA's Known Exploited Vulnerabilities (KEV) catalog lists vulnerabilitlies in widely used applications that are "actively exploited," and most of them are flaws that were discovered several years ago and have been fixed. There are also emerging vulnerabilities in 5G networks, cloud infrastructure, Edge applications, and firmwares to consider.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2023-1142
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use URL decoding to retrieve system files, credentials, and bypass authentication resulting in privilege escalation.
CVE-2023-1143
PUBLISHED: 2023-03-27
In Delta Electronics InfraSuite Device Master versions prior to 1.0.5, an attacker could use Lua scripts, which could allow an attacker to remotely execute arbitrary code.
CVE-2023-1144
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 contains an improper access control vulnerability in which an attacker can use the Device-Gateway service and bypass authorization, which could result in privilege escalation.
CVE-2023-1145
PUBLISHED: 2023-03-27
Delta Electronics InfraSuite Device Master versions prior to 1.0.5 are affected by a deserialization vulnerability targeting the Device-DataCollect service, which could allow deserialization of requests prior to authentication, resulting in remote code execution.
CVE-2023-1655
PUBLISHED: 2023-03-27
Heap-based Buffer Overflow in GitHub repository gpac/gpac prior to 2.4.0.