[ISN] Navigating the HIPAA Hype

From: InfoSec News (isnat_private)
Date: Fri Jun 08 2001 - 15:47:36 PDT

  • Next message: Dave Dittrich: "Re: [ISN] Pentagon Reverses Order to Destroy Old Hard Drives"

    June 11, 2001
    By Greg Shipley 
    As an IT professional in the United States it's taken me a while to
    realize just how bad things have gotten on our country's
    privacy-protection front. In fact, I should thank my European
    colleagues for educating me -- if not for my work on international
    projects I'd still be ignorant.
    When I started investigating the Health Insurance Portability and
    Accountability Act (HIPAA), I was intrigued; HIPAA seemed to be one of
    the first real steps in the right direction. But anyone who's worked
    with the regulations will tell you: HIPAA has ruffled feathers. Its
    scope will touch organizations both large and small, and a number of
    deep-rooted problems will need fixing. Of course, if pain proves
    profitable, you'll find businesses there to capitalize on it. Over the
    past 12 months I've been bombarded by news releases rambling on about
    HIPAA offerings: compliancy checks, audits, industry-expert
    availability and a variety of other HIPAA-related services. Accounting
    firms, consulting houses and other vendors are all looking to get a
    piece of the chaos, uh, I mean, action ... and the foul stench of FUD
    is in the air.
    Although I welcome much of what HIPAA is attempting, there's one major
    point the sales and marketing pimp squads continue to ignore: Many of
    the proposed "standards" haven't been ratified yet. Of the seven
    sections that comprise the "Administrative Simplification" portion
    (which affects IT heavily), only two standards have achieved "final
    rule" status. More comical is the lack of people who have read the
    drafts -- many "experts" haven't even read word one.
    But let's not jump ahead. Let's start with the basics. Security
    professionals who have read the document(s) immediately discovered the
    blaringly obvious: Many of the proposed ideas aren't rocket science.
    Hell, they're not even particularly new concepts. While I don't claim
    to be a HIPAA expert (nor do I ever want to be), my own perusals have
    yielded the following: Much of what the HIPAA Administrative
    Simplification rules propose are reiterations of information security
    best practices, including information access control, security
    testing, documentation, backup and disaster-recovery planning, virus
    checking, termination procedures, encryption and authentication, and
    the list goes on. As any good security officer will tell you,
    organizations should be covering these areas with or without HIPAA.
    How soon will HIPAA take hold? If the health-care behemoths get their
    way, the same administration that told the EU its privacy standards
    are "incompatible with real-world operations" (see article) will be
    blasting holes in HIPAA and proposed time lines. But don't hang out
    waiting to see what happens on Capitol Hill; get your infosec act
    together regardless. Besides taking care of the little things -- like
    protecting patient records -- organizations should be preparing for
    future regulations, whether they come down now or 20 years from now.
    The 5,000 patient records lifted from University of Washington's
    medical center earlier this year were only the tip of the iceberg.
    If you're a health-care-related organization, form a good idea of
    where your organization's information security program is today. Do
    yourself and your clients a favor and read the rulings, evaluate the
    vendors and start with the basics. Organizations with effective
    information security programs might find HIPAA alignment a bit bumpy,
    but they'll pull through. Organizations operating in
    "information-security-abyss mode" are not only being irresponsible,
    they'll be ravaged if and when HIPAA takes hold.
    Finally, to our European readers: Please accept my apology on behalf
    of those who have a clue regarding our pathetic approach to privacy.
    We've saddled ourselves with an administration that just doesn't "get
    it." And while we should take responsibility for putting that
    administration in office, well, hell, we're not even sure we did.
    Send your comments on this column to Greg Shipley at
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Mon Jun 11 2001 - 01:03:01 PDT