http://www.darkreading.com/database-security/167901020/security/news/232700031/1-5m-fine-marks-a-new-era-in-hitech-enforcement.html By Ericka Chickowski Dark Reading Contributing Writer March 21, 2012 Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures. "It's certainly a warning shot for the healthcare industry," says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "But is that a sufficient amount to act as a deterrent? It's hard to tell at this point. It's at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that's just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, 'Eh, it's another one.'" But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn't been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA) security requirements changes that financial equation for these organizations, he says. "What I'm seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because that’s going to pay off in revenue," he says. "But when it comes to making sure HIPAA requirements are up to date, that's usually the last line item on the budget because it's really a sunk cost. Now they're going to have to look at the risk involved and wonder 'Do I risk having a million dollar lawsuit if I don't put the right security protocols in place?'" [...] ______________________________________________________________________________ CISSP and CEH training with Expanding Security is the fastest, easiest way to grock the relevant data you need now. A free class invite is in every PainPill. Sign up for the free weekly PainPill . It's that easy. http://www.expandingsecurity.com/PainPillReceived on Thu Mar 22 2012 - 02:54:15 PDT
This archive was generated by hypermail 2.2.0 : Thu Mar 22 2012 - 02:58:05 PDT