HIPAA Security. Are We Making Progress?

September 30, 2011/Frederick Scholl/, , ,

The recent breach of 20,000 medical records at Stanford Hospital has me concerned.  The institution is part of Stanford University Medical Center and is a top rated health care provider.  Are we making progress on HIPAA security?  Are things getting better?  If this institution cannot effectively protect patient data, who can?  I analyzed the data on the HHS breach site, which reports medical records breaches (starting in 2009) of more than 500 records (www.hhs.gov) to see if I could see a positive trend.  The results are shown in the graph.

 

 

The data is not really showing a clear trend in either direction.  The vertical axis is pretty staggering in any case; the Stanford breach is only a blip on the chart.  Our Federal government has been putting great emphasis on medical records privacy.  Audits of HIPAA security will be starting in 2012 and could affect healthcare providers and their business associates.  Unfortunately, in perhaps typical government fashion, the detailed audit requirements have not been published.

One of my concerns around HIPAA is the emphasis on compliance.  Good compliance does not result, necessarily, in good security.  Security managers need to develop effective security programs with compliance as only one “deliverable”.

Should you be concerned about potential HIPAA security audits in 2012?  Statistically, probably not.  With 150 announced audits and the large population of covered entities (700,000) and business associates (1,500,000), your chance of an audit is about 0.000068.  This is the same probability as you or a family member being attacked by a shark.  But the audits will not be random and larger organizations will have a much greater chance of an onsite audit.

Should  you be concerned about HIPAA security breaches?  Yes.  Depending on the nature of the breached records, the consequences could be material.  Consider the fine of $1M levied by the Office of Civil Rights against Mass General for losing 200 records of AIDS patients.

In my next blog post, I will consider practical ways to secure HIPAA records and stay out of the news.

Posted in
Tags: , , ,

Frederick Scholl

Frederick Scholl is an accomplished Global Senior Information Security Risk Manager. Dr. Scholl earned a BS and Ph.D. in Electrical Engineering from Cornell University. In 1991, Fred founded Monarch Information Networks, LLC to enable forward-thinking organizations to protect their information. Previously, he co-founded Codenoll Technology Corporation (NASDAQ: CODN). He chaired the IEEE committee that wrote the first standard for Ethernet communication over fiber optic links, now used world-wide.

Book an Appointment for Cybersecurity Issues

Request an appointment with Dr. Fred Scholl. We will discuss any cybersecurity issues you have.

Book an Appointment

More Good Reading

Cybersecurity Thrives in An Organizational Context

The First National Cybersecurity Summit

New Privacy Laws Require Security Professionals Up Their Game

Cybersecurity Workforce Development: Real or Imagined Problem?

Antidote for Fake Everything

Information Security Risks, Gray Rhinos and Black Swans

Managing Information Security On a Limited Budget

Building a Security Start-Up

Cybersecurity Risk Management for Directors

My Reading List for Security Start-Ups

Should Your CIO Learn to Code?

How IT Leaders Can Keep a Seat at the Table

Equifax points out—again—the need for speed in security management

Anatomy of a Security Breach

The Smartest Information Security Companies

Book Review: Play Bigger

Long Term Beneficiaries of WannaCry

RISK: A NEW MOVIE ABOUT JULIAN ASSANGE

TRADE SECRET THEFT CONTINUES UNABATED

TENNESSEE LEGISLATORS MUDDY WATERS AROUND PRIVACY BREACH NOTIFICATION REQUIREMENTS

LEADERSHIP CHECKLIST FOR SECURITY PROFESSIONALS

SIEM VENDORS HAVE IT ALL BACKWARDS

THE SECRET TO GROWING YOUR SECURITY STARTUP

CLOUD JOBS PEAKING?

The Spy Who Couldn’t Spell

IS THERE A CYBERSECURITY PROFESSIONALS SHORTAGE?

No Blue Pill for Cybersecurity Failures

Presidential Cybersecurity Commission Makes Some Good Suggestions

Understanding Intelligence

Align Your Security Program With the Business

Don’t fall victim to BEC

Enterprise Risk Management and Information Security

Evidence Based Risk Assessment: Lessons Learned from the Y-12 Breach

First Conviction for Illegally Distributing Android Apps

Locking Up the Ivory Tower

Cloud Vulnerabilities

More Security Lessons Learned from the Y-12 Breach

Security or Compliance?

Home Disaster Recovery Planning

Cloud Computing: Trust but Verify

Background Checks May Not Be Enough

PERFECT SECURITY STORM FOR LAW FIRMS?

How Not To Be a Cyber Janitor

SECURITY MEMO: IT CAN’T HAPPEN HERE, CAN IT?

Don’t Forget Cloud Availability

Compliance v. Security

GAO Report on Information Security in Federal Government

Lean Security

Mitigate Your Social Engineering Vulnerabilities

HIPAA Security. Are We Making Progress?

Brand Your Security Program

PDCA is Dead

LEARNING FROM PAST MISTAKES

How Better Security Can Create Shared Value

C’est La Vie, You Never Can Tell: Lessons Learned from the HBGary Hack

DDOS Tutorial

The future of information technology

Data Governance Anyone?

Learning from the oil spill disaster

Down the Rabbit-Hole…Again?

Ideas on Risk Management