The following is a guest blog post by Anna Drachenberg, Founder and CEO of HIPAA Risk Management.
It’s taken a while to collect our team’s thoughts, feedback and reactions to the SANS Institute Healthcare Cyber Security Summit 2014 held last month in San Francisco. The holidays, end-of-year, and beginning-of-the-year craziness played a part, but it also required several team discussions to produce a concise wrap-up of the event because it covered so many topics.
The healthcare community needs to get active in SANS Institute’s events and programs. SANS Institute was created in 1989 as a cooperative research and education organization. The organization is focused on information security for all industries. However, SANS needs industry participation in order for that industry to benefit from its research and information-sharing programs. Most of the SANS healthcare community is made up of IT executives and professionals who started in the financial sector and have moved to healthcare in the past couple of years at some of the largest organizations – Kaiser Permanente, Aetna, etc. It’s a great start, and the recent summit, while only in its 2nd year, was a well-developed, well-organized event. But, SANS needs more participation from different healthcare organizations including smaller covered entities.
We asked the three members of our team who attended the conference to provide their top “take-aways” from the Summit.
“Stop focusing on compliance and start focusing on security”
This concept was repeated in several presentations, and for the most part, it is true. So many organizations and HIPAA Security Officers focus on whether or not they are in compliance with the regulation – documenting why they are not implementing an addressable standard like encryption – instead of securing the information that is at risk. That said, the presenters missed an important reality of healthcare information security: owners and management understand compliance; they don’t understand security. Until the healthcare community fears the cost of the breach more than the cost of a HIPAA fine, covered entities will spend money on “compliance” before they spend money on “security.” I would not recommend that a healthcare IT professional start his or her next presentation to the executive team with “Forget Compliance – Focus on Security!” any time soon.
“No one had a good answer when asked how small businesses could implement effective information security programs when most don’t even have a dedicated IT staff person”
Yes, our team asked several presenters and panelists how the majority of covered entities were supposed to implement the technology, tool and/or process being discussed when, according to Census.gov, 89% of healthcare businesses in the U.S. have less than 25 employees. The answers varied, from “use cloud technology,” from a cloud technology vendor; to “participate in the NH-IASC,” from a board member of the National Health Information Sharing and Analysis Center. The most honest answer was from Rob Foster, Deputy Chief Information Officer and Acting Chief – Information Security, U.S. Dept. of Health and Human Services. Mr. Foster acknowledged that small covered entities would need …read more