Analysis: HHS’ Revised Strategic Health IT Plan
Do the Privacy and Security Provisions Come Up Short?
… “The key to making this strategic plan something real lies in deriving well-defined tactical tasks accompanied by metrics measuring maturity and identifying gaps,” says Keith Fricke, principal consultant at tw-Security. “The credit card companies had that goal in mind when creating the Payment Card Industry Data Security Standard. A prescriptive roadmap provides clarity and direction.”
PCI DSS offers more practical guidance than HIPAA, Fricke argues. “HIPAA is top heavy on administrative tasks – such as policies, procedures, plans, etc. – that do little to actual secure PHI via technical controls. PCI DSS is almost all technology and very specific in regard to the controls required and light on the administrative burden. I’m not aware of a cyberattacker being thwarted by some ‘really good policies.'”
… Tom Walsh, founder of consulting firm tw-Security, also says there’s still plenty of work to do. “This is a ‘strategic plan’ so it is a high-level document that is supposed to help set direction for the industry as a whole,” he says. “Therefore, there is a lot of fluff but not a lot of substance. It does not answer the tough, ‘Who, How, and When’ questions.”