Let's be truthful. Being compliant with the Healthcare Insurance Portability Act and Accountability Act (HIPAA) of 1996 and even its subsequent Privacy and Security rules alone is really like doing the barest of minimums possible to secure your health care organization and the protected health care information (PHI) in its custodianship.
HIPAA achieved a bureaucratically amenable baseline of both required and suggested protections toward the benefit of the American patient. It, however, did not provide prescriptive guidance. It also has not been well enforced to date.
For instance, the HIPAA Security Rule recommends the use of cryptography; however, the control falls into that gray area known as “addressable." Don't want to comply with it? Just document why you believe it not to be “reasonable and appropriate” and support that decision by pointing to all of your other security infrastructure as mitigating factors. It's really up to you.
Cryptography is simply not required at all unless you wish to receive possible “safe harbor” from the Health Information Technology for Economic and Clinical Health (HITECH) Act requirements to notify victims of breaches affecting more than 500 individuals.
Still, with the exception of reputation damage, apart from former Connecticut Attorney General Richard Blumenthal's pursuit of Health Net following its loss of a portable hard drive containing the unencrypted records of 446,000 enrollees, there is little other enforcement precedence to warrant concern to date.
Even Blumenthal's efforts ultimately resulted in a comparatively paltry $250,000 settlement. Can it be any wonder that as of Nov. 15, 102 separate incidents of breaches of unsecured PHI affecting more than 9.6 million individuals were reported to the secretary of the U.S. Health and Human Services Department?
But, wait a minute. Perhaps the effort to achieve the encryption of all PHI today has become somewhat less burdensome in the eight years since the Security Rule's passage? Perhaps the threat landscape has changed sufficiently to fully warrant encryption's "reasonableness and appropriateness?"
Well, duh. Ask vendors such as Vormetric or SafeNet. They each have developed appliances that facilitate the transparent cryptography and dynamic key management which once seemed so elusive.
Surprised? Cryptography is not the only common security best practice not well addressed, if addressed at all. For example, try to find specific mention of patch management requirements in the HIPAA Security Rule. Seriously. It's not in there.
The closest that you may find is the highly interpretable risk management (§164.308) or general security standard verbiage (§164.306) instructing that “reasonable and appropriate” security measures be employed to reduce risk to “reasonable and appropriate” levels. Yet among all the HITECH-driven Privacy and Security Rule revision discussions, none of these controls or other security stalwarts, such as file-integrity management or even intrusion prevention systems, are known to be pending.
So ask yourself, as a patient, are your providers responding to today's zero-day threat, hacktivist, international espionage-ridden landscape? Are they compliant with such best practice standards as the very prescriptive, and even health care specific, HITRUST Common Security Framework? How about NIST 800-53 or ISO 27001/2?
Now providers, ask yourselves, are you truly committed to doing no harm? Before you answer, be forewarned. The stakes are rising, Office of Civil Rights' audits have started, state attorneys General are becoming more active, and if you think that you can hold up HIPAA compliance as a modicum of assurance, you are sadly mistaken.
It's time to get serious.