"Healthcare organizations are definitely maturing in their security evolution," says Tom Walsh of Tom Walsh Consulting, which focuses heavily on information security in the healthcare market.
He believes that the types of questions and the types of engagements he's getting as a consultant in the healthcare vertical have evolved. He says the questions have changed from "What is HIPAA?" to "Help me get something started for HIPAA?" to "How can I use governance frameworks to help me comply with all of the regulatory requirements out there — and remain secure in the process."
Healthcare IT departments are realizing that they not only have to deal with HIPAA, but also with requirements from The Sarbanes-Oxley Act of 2002 (SOX), payment card industry (PCI) and breach notification laws. It has dawned on them that it is time to get smart about leveraging compliance efforts.
"From a compliance perspective, HIPAA is big, but at the same time most healthcare providers have a bunch of other regulations that they have to deal with," says Scott Magrath, director of product marketing in VeriSign's managed security services group.
So understanding that there's more than HIPAA will mean a cohesive governance approach to security, "putting a framework in place and using that to link compliance [back to the organization]," Walsh says.
This will increasingly be a goal for organizations in this vertical. In the coming years, health organizations will likely replace HIPAA check-box compliance efforts with more robust governance frameworks that emphasize risk management. The maturation process will have them looking to follow the intent of the law, rather than the letter of the law.
While the market will likely see more signs of this shift in 2007, the process of shoehorning compliance efforts into comprehensive risk management plans is going to take a mite longer than a year. The Healthcare Information and Management Systems Society (HIMSS), for example, set its sights on 2014 as the year when this shift will touch all healthcare organizations.
Hot button issues
In the meantime, there are certain hot issues that healthcare security executives will have to deal with. Both Magrath and Walsh believe that in 2007 many healthcare organizations are going to be forced to take a closer look at the way that they handle patient information on the payment side of the house.
"One area of compliance a lot of healthcare organizations have not even addressed at this point is the PCI data security standard," Walsh said. "All hospitals accept credit cards for payments. They may not know how to handle that PCI data security standard."
With the introduction of the payment card industry's new PCI Council, healthcare's laissez-faire attitude regarding cardholder information will have to change. The council was conceived as an enforcement arm of the card companies, and healthcare organizations are within the sights of its leaders as some of the entities that will need to do better at protecting cardholder data.
Log monitoring and management
Another big 2007 push for many healthcare organizations is starting to better manage the information generated by all of those audit systems put in place to comply with rules and regulations.
"They knew they needed audit controls and put those in place. Now they are collecting this data and they're going, ‘Now what?'" Walsh says.
Magrath agrees, saying that leading into the end of this year, leading healthcare organizations are clamoring for services that center around log monitoring and log management.
"That's a huge driver there today. It is a very painful and laborious process to set up the technology yourself," he says. "Customers are really looking for more effective ways to tackle that whole issue with less impact to their business. That's probably the biggest thing we're seeing."
Still, even though healthcare organizations have talked about HIPAA ad nauseam for many years now, it is unlikely to be eclipsed as the main driver of security activities next year. The continued focus stems mostly from the fact that though many organizations are quick to claim full HIPAA compliance, the reality behind the curtain is that compliance is probably less complete than claimed.
"Even though some healthcare organizations are saying ‘We're compliant,' we really don't know what that means," Walsh says. "There's no one really validating it at this point."
The requirements laid out by HIPAA are notorious for lacking teeth or oversight, and many smaller healthcare organizations take advantage of this with lackluster compliance efforts. Magrath says that from a government enforcement perspective this won't likely change soon.
"The only way I see something coming down the pike, is if there are a bunch of high profile breaches that force legislators to do something," he says. "In the absence of that, I don't see anybody forcing hospitals to pay fines."
However, Walsh says that the healthcare sector may turn to self-policing as the most influential healthcare organizations recognize the importance of HIPAA mandates. For example, he believes that this may be the year that the Joint Commission on Accreditation of Healthcare Organizations (JCAHO) ties more HIPAA compliance requirements in with its accreditation process.
"Accreditation may be held up when the hospital doesn't comply," says Walsh. "They have been threatening this for some time, but maybe 2007 is the year they get serious about this."
On the radar in 2007
PCI DSS: Many healthcare organizations haven't even begun the work to comply with the payment card industry's data security standards. But the newly formed PCI Council may force these organizations into action as stronger enforcement looms.
JCAHO: The Joint Commission on Accreditation of Healthcare Organizations has the power to make healthcare organizations comply with security standards by threatening to yank accreditation. The question is whether 2007 is the year it will do this.
CCHIT: The Certification Commission for Healthcare Information Technology is enabling HIPAA compliance by making IT vendors create products HIPAA compliant out of the box. Experts recommend only purchasing products that have been approved by CCHIT to smooth the way to compliance.
— Ericka Chickowski