We are starting to see Chief Information Security Officers (CISOs) reporting outside of Information Technology (IT). This makes sense because the CISO needs to be able to audit the IT controls and give an unbiased report to senior management.
We read about healthcare organizations that get fined by the OCR for basically doing nothing, meaning that they have a general lack of evidence of due diligence for HIPAA.
Reviewing some of the largest fines can help healthcare organizations learn how to avoid them should an incident occur. Many experts say that it isn’t IF an incident will occur, it’s WHEN.
Adding a cybersecurity tactical simulation test to an overall information security risk assessment is a must in today’s world. It is a sure bet that attacks and breaches will continue to occur and so the need for functional assessments, mitigation, awareness and response are key to protecting your organizations confidential information.
The HITECH-OMNIBUS final rule stepped up the requirements and for both CEs and BAs and both must now include the new requirements in their information privacy and security risk analysis and management program.
Based on prior statements from the OCR and their recently distributed survey, the pool of audit candidates will be approximately 800 to start. These randomly selected organizations will be chosen using the National Provider Identifier database and other external sources.
Who would have thought back in 1990 that someone in China or Russia or anywhere would be able to steal health information in a hospital in Anytown USA and even hold it for ransom.
Healthcare seems to be the #1 target for hackers and ransomware and there are two (2) main reasons that make up the root cause.
Imagine trying to come up with the top ten things our planet should do to decrease vulnerabilities and threats. Looking at earth from 30,000 feet can make that seem easier to do. But if we zoom in to the details we could probably come up with hundreds of things to consider. The same is true with health information privacy and security. To come up with what we consider to be the top ten things to do to pass an Office for Civil Rights (OCR) audits and reduce risk of unauthorized access to your protected health information (PHI), we had to zoom out and look at what we have observed over the past several years from a very high level. Our top ten things to do are not listed in any particular order. Keep in mind that our top ten today will most likely change very soon and at least year to year. Here they are:
Since we are talking about healthcare information we must talk about protected health information (PHI) and the HIPAA-HITECH-OMNIBUS Privacy, Security, and Breach Notification Rules. BI and Big Data analysis that includes PHI and its use and disclosure must be reviewed against the HIPAA security and privacy requirements and the breach notification requirements.