HIPAA Enforcement: 10% of any covered entity Will be audited says Office for Civil rights

At Showmecon  (www.showmecon.com – June8,9 2015)

I went to a HIPAA compliance talk by Hudson Harris “HIPAA 2015- Wrath of the Audits”

Showmecon-HudsonHarris-HIPAAcompliancetalk

 

It was an excellent talk by Hudson Harris  @legallevity  (his Twitter account)

And this is what my report (or what I got out of it) is:

 

1.  10% of all HIPAA covered entities will be audited no matter their size or other characteristics.

2. When one gets audited there will be only 2 weeks to respond in an audit, so if there is no policy or HIPAA security plan it is too late to create one.

a. Breach policy and response

b. What was breached – create assessment

c. How will you notify the people whose records were compromised? less than 500? more than 500 may have different actions.

3.  How to safeguard PHI (Protected Health Information), disclosure, and use policies may number 50-75 for  a typical company.

4. Workforce management and access has to be worked out

5. A Disaster recovery(DR) and Business Continuity (BC) plan should be in place

6. There should be access protection both physical and digital

Hudson said that the Office for Civil Rights has been known to come in dressed as a flower delivery person to try to get into areas they should not, and then try to access computers (sort of like a social engineer hacker) And sometimes the Office for Civil rights takes this social engineering to a new level (sort of like social engineers themselves).

Digital security policies are different from physical security policies.

The HIPAA calendar would include the following:

A.  Regular training (physical and digital)

B.  Persistent Alerts

C.  DR & BC

D. Security Risk Assessment

 

Use NIST(National Institute of Science and technology) for a resource as HIPAA compliance auditors do.  NIST Special Publications page  http://csrc.nist.gov/publications/PubsSPs.html

 

As usual the Devil is in the Details.

 

In regards to a security risk assessment a Baseline with scoring threats, vulnerabilities, will lead to an Impact score.

Why would a system be vulnerable? Do you have to run an old server that can’t be patched until it is updated?

Office for Civil Rights have a HIPAA Enforcement page: http://www.hhs.gov/ocr/privacy/hipaa/enforcement/index.html

 

 

At this point I would like to bring into the conversation a Securosis blog post by Rich:

https://securosis.com/blog   where Rich updated his Security Guiding Principles (2015 version)

1. Don’t expect human behavior to change. Ever

2. Simple doesn’t scale

3. Only economics really changes security

4. You cannot eliminate all vulnerabilities

5. You are breached. Right now

 

How does Rich’s security guiding principles affect a HIPAA compliance audit? or a PCI compliance audit?

I think we are always vulnerable of very good social engineers, because you can’t say beware of fake plumbers. Or other fake people without any examples. But the example may not prepare you. Not everyone is a good security officer.  Some  people are easy to “hack”.

It takes money to be “more secure” – although it is not simple and will be hard to quantify

It takes a big company to admit that they have a breach and take steps to report and later fix the problem.

Policies are only so good and security is bigger than compliance.

Here is a picture of some of the concepts I created to help with the understanding. (Picture is a thousand words)

We can assume PCI compliance =HIPAA compliance

pci-compliancevssecurity