Navigating the HIPAA Hype

[InfoSec News <isn () c4i org>]

http://networkcomputing.com/1212/1212colshipley.html

June 11, 2001
By Greg Shipley 
 
As an IT professional in the United States it's taken me a while to
realize just how bad things have gotten on our country's
privacy-protection front. In fact, I should thank my European
colleagues for educating me -- if not for my work on international
projects I'd still be ignorant.
 

When I started investigating the Health Insurance Portability and
Accountability Act (HIPAA), I was intrigued; HIPAA seemed to be one of
the first real steps in the right direction. But anyone who's worked
with the regulations will tell you: HIPAA has ruffled feathers. Its
scope will touch organizations both large and small, and a number of
deep-rooted problems will need fixing. Of course, if pain proves
profitable, you'll find businesses there to capitalize on it. Over the
past 12 months I've been bombarded by news releases rambling on about
HIPAA offerings: compliancy checks, audits, industry-expert
availability and a variety of other HIPAA-related services. Accounting
firms, consulting houses and other vendors are all looking to get a
piece of the chaos, uh, I mean, action ... and the foul stench of FUD
is in the air.

Although I welcome much of what HIPAA is attempting, there's one major
point the sales and marketing pimp squads continue to ignore: Many of
the proposed "standards" haven't been ratified yet. Of the seven
sections that comprise the "Administrative Simplification" portion
(which affects IT heavily), only two standards have achieved "final
rule" status. More comical is the lack of people who have read the
drafts -- many "experts" haven't even read word one.

But let's not jump ahead. Let's start with the basics. Security
professionals who have read the document(s) immediately discovered the
blaringly obvious: Many of the proposed ideas aren't rocket science.
Hell, they're not even particularly new concepts. While I don't claim
to be a HIPAA expert (nor do I ever want to be), my own perusals have
yielded the following: Much of what the HIPAA Administrative
Simplification rules propose are reiterations of information security
best practices, including information access control, security
testing, documentation, backup and disaster-recovery planning, virus
checking, termination procedures, encryption and authentication, and
the list goes on. As any good security officer will tell you,
organizations should be covering these areas with or without HIPAA.

How soon will HIPAA take hold? If the health-care behemoths get their
way, the same administration that told the EU its privacy standards
are "incompatible with real-world operations" (see article) will be
blasting holes in HIPAA and proposed time lines. But don't hang out
waiting to see what happens on Capitol Hill; get your infosec act
together regardless. Besides taking care of the little things -- like
protecting patient records -- organizations should be preparing for
future regulations, whether they come down now or 20 years from now.
The 5,000 patient records lifted from University of Washington's
medical center earlier this year were only the tip of the iceberg.

If you're a health-care-related organization, form a good idea of
where your organization's information security program is today. Do
yourself and your clients a favor and read the rulings, evaluate the
vendors and start with the basics. Organizations with effective
information security programs might find HIPAA alignment a bit bumpy,
but they'll pull through. Organizations operating in
"information-security-abyss mode" are not only being irresponsible,
they'll be ravaged if and when HIPAA takes hold.

Finally, to our European readers: Please accept my apology on behalf
of those who have a clue regarding our pathetic approach to privacy.
We've saddled ourselves with an administration that just doesn't "get
it." And while we should take responsibility for putting that
administration in office, well, hell, we're not even sure we did.

Send your comments on this column to Greg Shipley at
gshipley () neohapsis com.




ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.