I recently had the opportunity to talk about the challenges and successes of working to create a HIPAA compliant information sharing exchange platform with the goal of promoting population health management.
Hope everyone is having a happy holidays! Coming up soon I will discuss things you should consider as goals in privacy and security management for 2016.
/s/ HH @LegalLevity
This week I wrote a guest article for Newegg’s Business blog, Hardboiled. I walked through my 10 Technology Tips on How to Avoid HIPAA Violations.
#HIPAA compliance boils down to the little things. 10 ways technology helps keep these in order. #healthIT #HITsm http://t.co/MExxZI4euQ
— NeweggBusiness (@NeweggBusiness) August 21, 2015
Take a read!
/s/ HH @LegalLevity
Not long ago I got into an argument with an information security (“infosec”) person about that dirty word we all love to hate, compliance <shudder>. This person’s position was that compliance does not matter and does not advance the state of security “at all.” Sadly, these anti-compliance opinions are remarkably commonplace and often have the inverse effect of what the individual really wants, buy-in from decision makers. The impact of anti-comp opinions on our organizations is pervasive, invasive, and overwhelming.
The organizations we work for echo our opinions on tech and infosec. So, if you espouse an anti-comp opinion, the employees around you, as well as those you support and train will begin to hold those same beliefs. For a large majority of the workplace, the infosec team operates with borderline magical abilities, which means that those who are not technically inclined will adopt the team’s opinions. Put simply, ask yourself a question: if you ran a company and your infosec team did not believe that compliance advanced the state of security, how much would you invest in data security; training; or infosec infrastructure? The answer is as little as possible, because if compliance does not matter to my infosec team, then why should it matter to me?
Data Breaches in 2015:
How many of you received a letter from Anthem, Premera, or Carefirst regarding the theft of your PHI from an unencrypted server? These three BCBS company breaches saw the loss of ~93million PHI records in the span of six months. In tandem with BCBS, the Office of Personnel Management (“OPM”) discovered catastrophic on-going breaches resulting in ~22 million stolen records, many of which were from top secret security clearance applications. From OPM to BCBS, over 105 million people have had their data stolen this year. The inevitable lawsuits stemming from those breaches will revolve around two primary questions: whether the entities failed to meet industry standards and whether they violated the law; a.k.a. compliance.
Audits and investigations:
Investigations are coming. If you had any doubts or questions about whether the federal government was committed to enforcement actions and audits, read my article on the New Normal of HIPAA breaches, audits, and enforcement. Quickly, the OCR is out there and coming for you whether or not a breach or theft occurs. The OCR plans on auditing 10% of every covered entity and 5% of every business associate, regardless of whether a breach occurred. Add to this ramped up investigatory presence the expanding range of penalties, both company and personal, and the case for compliance begins to crystalize. These efforts are not limited to the HIPAA sector either, the FTC recently released its “Start with Security: Guide for Business” that promises to be a foundation of the FTC’s legal efforts against companies who fail to meet the minimum thresholds of these guidelines. Simply put, no matter what sector you are in, government efforts and spending are ramping up, often at exponential rates, to ensure that organizations with data are in compliance with the law.
Compliance is no longer a four-letter word relegated to the low rung on the budgetary spreadsheet next to birthday cakes and dry erase markers. Compliance departments are becoming larger, more robust, and increasingly well funded every year. What many anti-compliance advocates do not realize is that compliance does advance the state of security because it gives you a toolbox of legal authority to grab attention and justify spending on what matters to you: advancing information security within your organization. Not only is an anti-comp attitude unproductive, but it can literally impact your ability to do your job or even keep your job. Compliance means you, as an infosec professional, can get that buy-in on that project, tech upgrade, or conference you need to do your job. If you aren’t advocating for compliance in your organization, you should be, because its advocating for yourself.
It’s simple – advocate now, or pay later.
/s/ HH @LegalLevity
Wow what a whirlwind of a month. Since my talk at BSides San Francisco I have been in Dallas, Chicago, San Diego, and points beyond working on the intersection of HIPAA and Infosec as a new paradigm for thinking about how we secure PHI. There was also my guest piece @Tripwire on The New Normal in Breaches, Audits and Enforcement.
On top of that I got to meet with a company called HIPAAtrek, located in St. Louis, MO. HIPAAtrek was founded by an amazing group of individuals headed up by Sarah Badahman. As a quick note, I am not a client of HIPAAtrek, nor did I receive any compensation for this review. Part of what I do for this blog is work to find the best and brightest (in my opinion), products and people out there to help you navigate the HIPAA mine field. To that end, here is what I found on my run through of HIPAAtrek.
The goal behind HIPAAtrek is to develop a platform for HIPAA that works to take the complexity and expense out of compliance and compliance tracking. To that end, the people at HIPAAtrek created a web facing product that serves as the dashboard for your HIPAAtrek experience.
The basic five icons are a bit deceiving in the amount of information they really contain. The 
manage users tabs allows you, if you choose, to manage every employee in your company, the level of training, alerts, and even when they have accessed the website to review materials. As someone who constantly struggles to get employees to do training, the ability to track, send out alerts, and badger the crap out of someone appeals immensely. There is even a dashboard to tell me who has viewed alerts or other reminders. 
My understanding is that in the not to distant future HIPAAtrek will offer the ability to administer and track trainings. If they can add videos, tests, and uploaded training materials this portion of the HIPAAtrek offering will really kick it up a notch. Most audits involve the inevitable questions: who did you train; when did you train; and what did you train. Already, many certifying organizations for healthcare require these types of reports and it would be a real cherry on top.
The policies page is one of my favorite. Each of the icons represents a different policy or group of policies and frankly makes it a lot easier to figure out what you are looking for when browsing. Even in my own policy set, I often have to hunt until I find something. These intuitive links make that easier. The links here are broken into 20 categories ranging from Security Management Process and Contingency Plan to Workstation Use and Breach Notification. Also, along side each picture is a little number that indicates the number of policies contained within. Once you click one of the icons, you are taken to a policy page. Each category takes you to a page that describes the category, the overall purpose and the policy statements that you create. Also a part of this page, is a nifty progress bar that gives you a percentage of completion for your HIPAA policies. Each of these policies is tagged as either ‘Finalized’ or ‘In Progress.’ 
This page also gives you a handy download to .pdf option in case those pesky auditors come around or you have an employee who must have paper. Ideally, a feature will be added in the future that will track revision number, date, edits, or even a button to track notes and/or specific things you want to remember when working in this category. Given the emphasis on business continuity and disaster recovery, I could see a place to upload your outcomes, dry runs, and findings from DRBC simulations. This brings me to the real sweet spot and a clear differentiator of HIPAAtrek. By using this 
service they will help you create your own policies from scratch, import policies you have already created, and yes (gasp) review the policies you have for gaps. A lot of services out there either utilize the pump and dump method where you get blank policies to fill in or they fill out policies with zero feedback or input from the stakeholders. HIPAAtrek leverages a different model that actually feels collaborative.
I have reviewed and used a lot of HIPAA compliance programs that I have not, and would not, review. Too many firms overcharge and under-deliver in an expanding HIPAA compliance field that all too rarely provides fluff and stuff over depth and breadth. As with any compliance efforts, HIPAAtrek will not do the work for you. HIPAA compliance must be looked at like climbing a mountain, you and your organization do the work, but having a sherpa (or HIPAA Sherpa) to guide you along the way makes things significantly smoother and less fraught with icefalls, audits and crevasse. The bottom line is that audits are growing in number and breaches are expanding exponentially. Take a look at this piece I did on the OCR HIPAA Breach Reporting Data if you aren’t convinced.
Prepare now or pay later!
/s/ HH @LegalLevity
Legal Levity 