One hacking news story after another; some people don’t give it much though and others are completely alarmed. Recently North Korea was suspected of cyber attacks on South Korea and the US. Some months ago, it was reported that a “foreign interest” had been probing the US electric grid for months looking for weak targets for an anticipated attack in the future. Some years ago a large clothing retailer exposed data on thousands of credit card customers. And in the last few days, Network Solutions had some of their eCommerce servers hacked, effecting thousands of credit card holders.
Industry and Government are working together to implement new security standards aimed at reducing risks. For the Payment Card Industry, those efforts are documented in PCI-DSS and all credit card merchants must certify compliance. For the Health Industry standards and compliance are contained in the HIPAA standards. Compliance deadlines have passed or soon will on most regulations. These regulations also contain stiff penalties and strict prescriptions of action when breaches occur. Computer and Security technicians standing on the front line of defense are working diligently to achieve compliance, to protect your data and their reputations.
On the HIPAA front, many institutions are not yet fully complaint. Many site the absence of appropriate technology as a big reason. Their complaints center around a few things.
- No real-time security view of the network – most software and hardware tools take only infrequent snapshots, there is now way to be alerted quickl
- Too labor intensive – too much of the work involves time consuming nearly impossible manual inspections, analysis, and correction, exposing the process to human error.
- No real 100% view – most technology because it consumes to much bandwidth or is just cumbersome to use, and only “samples” a portion of the network, non compliance devices could be missed.
- Rate of change – new vulnerabilities are found frequently and it is difficult to keep up with them, identify the vulnerable devices, correct them, and recertify compliance.
- Network devices are often ignored – Servers are well managed, but the constant addition of new technology into the network presents a great challenge.
Regardless of available technology, compliance efforts must be completed.
The recently passed Federal Stimulus bill, contains more emphasis on HIPAA compliance with specific penalties and remedies for violations. Institutions and health care business should not just be focused on available funding but also on the maintaining security and HIPAA compliance. Just this month in Little Rock Ark, 3 health care professionals pleaded guilty to federal charges that they inappropriately accessed patient medical records. Each could be facing a $50,000 fine and up to 1 year in jail. Remember the recent news story about the Mother of 8 babies? The notoriety of her situation tempted medical professionals to view her personal medical records. From the birth hospital, 15 lost their jobs and 8 more were disciplined. The hospital was reportedly fined nearly $450,000.
Health care institutions and businesses face a monstrous security responsibility and great risks for violations. HIPAA compliance is a requirement but most see it just as the beginning. More must be done to harden systems and adapt to changing vulnerabilities. Protections must be improved to prevent external and internal abuses. We all must hold the healthcare industry accountable for privacy and security, but not to the point they are motivated by deniability.
Computer, network, and data security are all issues we face. Pay attention to the new regulations. Understand what you can do and the penalties of violations. It just makes sense.
Other Related / Recommended Posts:
