HIPAA Compliance Starts with C-Suite

Nutkis: Healthcare organizations will need to revisit and adjust their information security governance practices and make additional areas of investment to align with the new requirements. HITRUST recommends that healthcare organizations focus on the following key areas for their security strategic plans over the next 24 months:

• Develop and implement an overall compliance strategy: Update policies, processes, and technologies to manage and document compliance efforts
• Realign policies: Ensure that internal policies, standards, and procedures are aligned with regulatory requirements
• Perform a gap analysis: Conduct a gap analysis of existing security practices against HIPAA and new regulatory requirements
• Develop a roadmap for compliance: Develop a plan outlining responsibilities, budget, and timelines to address gaps identified during the assessment
• Maintain an audit ready state: Based on recommendations by the OIG in 2008 and the new legislation, HHS will more assertively perform compliance audits in the upcoming years.

HealthLeaders Media: What are some weaknesses you see with healthcare facilities as they attempt to comply with HIPAA privacy and security?

Nutkis: During the development of our Common Security Framework (CSF), a certifiable framework that any and all organizations in the healthcare industry can implement and be certified against to reduce risk, the professionals from healthcare organizations of all segments provided us with input on the top issues affecting the industry resulting in the most severe breaches and loss of covered information. These include:

• Insecure and/or unauthorized removable transportable media and laptops (internal and external movements)
• Insecure and/or unauthorized external electronic transmissions of covered information
• Insecure and/or unauthorized remote access by internal and third-party personnel
• Insider snooping and data theft
• Malicious code and inconsistent implementation and update of prevention software
• Inadequate and irregular information security awareness for the entire workforce
• Lack of consistent network isolation between internal and external domains
• Insecure and/or unauthorized implementation of wireless technology
• Lack of consistent service provider, third party, and product support for information security

Editor's note: This is the first of a two-part series from our interview with Nutkis. In the next installment: The importance of business associates complying with the HIPAA Security Rule.