Stop Talking About Compliance. Please.

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.healthdatamanagement.com/blogs/stop-talking-about-compliance-please-50006-1.html


We’re now eating the exhaust of the massive Anthem breach and predictably,
a Google search serves up hundreds of commentary pieces about this being
the wake-up call, the call to arms, a turning point for healthcare data
security.

Whatever. Security experts can write as many treatises as they want about
what new and improved data security methods need to be applied, but the
hard truth is that the healthcare industry has never made an effort to have
a serious conversation about real-world security. Instead, the industry has
conditioned itself to talk and think about compliance, which many have
learned the hard way is an entirely different matter. And whatever happens
next in terms of regulatory actions, it likely will continue to do so.

Healthcare data security by and large rolls up to an executive whose
background is in compliance. And that’s great if you as a C-suite leader
want to check off on all your HIPAA privacy/security requirements and sleep
well at night. You have elaborate, role-based data access matrixes, you’ve
spent treasure on making sure nurses aren’t sharing passwords, and
workstations are angled properly so passing staffers or patients can’t read
what’s on screen. And you’ve convinced physicians that if they have
water-cooler conversations about their patients, or even heaven forbid send
an e-mail that contains “exposed” personal health information, you’ve got
the torture chamber fully staffed.

These are exercises in compliance, not in actually keeping data secure. The
HIPAA security standard contains a number of “addressable” and “required”
specifications, and in the compliance mindset these are often construed as
specifications you have to implement, and addressable specifications that
you pour a lot of energy and billable lawyer hours into documenting why you
can’t possibly implement, while throwing in an alternative security measure
that can pass the compliance smell test but is completely inadequate out in
the digital jungle. Especially in light of how incredibly attractive
healthcare data, combined as it often is with Social Security Numbers, home
addresses and rich financial information, is to villains both foreign and
domestic.

The cavalier attitude toward data at rest is a glaring example. Someone who
spent their career in security would reflexively focus on the vulnerability
of databases which are a couple of passwords and third-party contractors
away from being completely exposed. They wouldn’t be thinking about coming
up with excuses about how encryption would pose an unreasonable burden to
operations; instead, they would focus on using it as the rule, not the
exception. And while they’re at it, they would probably think
“company-issued unencrypted laptops … really?”

But that’s not how the healthcare industry rolls. Hopefully true security
experts can convince organizations to stop talking about compliance and
instead have some intense conversations around actual data security.
Compliance exists in a realm where documentation, not results, is the real
goal, and all data is safe if you have the proper paperwork to show
regulators. You can draw unwelcome parallels here to the meaningful use
incentive program, where electronic health record systems that meet all the
requirements are being “meaningfully used” in the estimation of everyone
except the physicians who actually use them.

Compliance should be a byproduct of data security planning and a host of
other health IT efforts, not the purpose.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!