Don’t Wait for the OCR to Come Knocking


tn-roofing For healthcare IT security professionals, the past 10 years has been characterized by both unrealistic expectations from higher up’s and frustration of not being able do enough.  

No Time, Money, or People

  Without being given the adequate resources, and personnel, S&R professionals have repeatedly found themselves in a position where they are unable to cultivate a mature security program, and properly safeguard sensitive health information.
 “We struggled to be heard in our organizations, to implement policies and strengthen passwords. But we were often thwarted and viewed as obstacles if not threats, to patient care.”,
writes Kate Borten, a 20 year Healthcare IT veteran, in her recent article Healthcare Information Security: Still No Respect.
“You’d think patient privacy, and, thus, security, would be embraced, but it wasn’t so.”

US Health Care is IT’s own worst enemy

Today things are changing for better, but also for worse. One of the chief obstacles to security and risk teams is being at the mercy of healthcare industry budgets. In a recent article, Forrester’s Stephanie Balaouras shares the fact that the US has the highest healthcare spend per capita compared with other developed countries, which does not necessarily correlate to better outcomes. This means the pressure on US healthcare to reduce spending is even more severe than other countries, and security is already one of those often overlooked departments. This is mainly due to the fact that no one ever thinks about it until something goes disastrously wrong. Speaking of which, 2013 saw a 138% increase in personal health information breaches, with over 7 million records lost. The reality is, medical records are a hot commodity for many opportunistic data thieves, mostly because they are not that hard to get, and easy to convert to currency. However, even with the undeniable risk of data loss, healthcare organizations still need further incentive to change. seal_blue_gold_hi_res  

Enter: US Government

  OCR, which stands for the Office for Civil Rights, is the fire beneath Healthcare’s feet. As an integral part of the department of Health and Human Services, the OCR, “investigates and resolves thousands of complaints regarding HIPAA violations, many of which result in significant reputational damage and substantial fines.”  

Move over IRS, the OCR is coming! 

In the past couple years, the OCR has played a mostly passive role in HIPAA enforcement, by primarily responding to HIPAA breach complaints. However, presently, they are taking a much more active role by instigating investigations into health care organizations and performing audits. In July of 2013, the managed care company Wellpoint paid out over $1.7 million to OCR and HIPAA privacy and security violations. Since then, dozens of other organizations have felt the heat. 1287062_19628839

So what do S&R professionals need to know about OCR?

  1.  Become Familiar With OCRs 77-Point Protocol The OCR audits healthcare organizations against a comprehensive audit protocol that is organized around modules, representing separate elements of privacy, security, and breach notification. This includes performance criteria such as Security Management Process, Assigned Security Responsibility, Security Awareness and Training, Contingency Plans, Facility Access Controls, and much more. Without adequate knowledge of all of these performance criteria, any security plan will prove fruitless in the event of an audit. 2.  Make a Business Case for Security Going back to the point of overstretched healthcare budgets, now more than ever, S&R professionals need to prove extra savvy in outlining a return on investment for their security programs to decision makers. Also, since you can only approximate the costs of what “might happen”, it might be better to focus attention on how effective you’re particular security solutions are by providing concrete and easy to follow examples 3.  Exploit Cloud Providers Willing to Sign BAAs As a regulated industry, Healthcare has the biggest reason to switch to more streamline cloud solutions in order to save on manpower and infrastructure. However, no one wants to be left holding the hot potato. Make sure the cloud services you are integrating with are willing to sign the right service level-agreements, which provide you with the right level of control and access to things like security logs. Finally,
“S&R pros should also use cloud encryption solutions to encrypt data transmitted to cloud providers while retaining control of the encryption keys.”
Encryption in a cloud provider’s data center is useless, if the method of transit is not secure. Make sure your cloud solution offers persistent encryption no matter where the data resides (at rest, inflight, etc.).   4.  Understand the Top Risks 52% of healthcare organizations reported that more than half of their employees store sensitive or regulated data on their computers. BYOD risks are undeniable, and should be at the top of the list when it comes to potential risks. Right alongside BYOD are consumer based communication and file-sharing tools, which 18% of S&R professionals consider controlling to be of utmost importance.  

What was that saying about morale and beatings?

It might sound like a message we have heard all too often, but until Healthcare organizations start making the right decisions, what other message is there to send? Maybe when the pain gets great enough, and an event on the scale of Target’s recent breach were to befall health care, maybe then the desired shifts would occur. Isn’t that how these things work? Until then, keep a close eye the OCR and don’t think that just because you are a small fish, they are not interested in you.