HIPAA preparation: An expedition without end
“A decent compliance officer’s job is to make certain that over this journey, you’re remaining on the right trails.”
When Tom Walsh became the first information security manager for a huge, multi-hospital system in Kansas City in 1992, people outside the organization had slight awareness of what the job necessitated.
“Since then, my aim has been to have one boring day — but it has never happened,” said Walsh, founder and CEO of tw-Security, a firm focused on securing clients’ information resources.
Walsh will temperate “Directing the Practical and Legal Aspects of HIPAA,” an all-day workshop, at HIMSS15 in Chicago, on April 12.
He defines the quest of HIPAA compliance as a “perpetual journey” molded at times by new technology and data-sharing necessities that didn’t even occur when the rules were settled.
For instance, as per the National Institute of Standards and Technology, a security risk valuation should be directed at least once every three years unless an organization experiences some sort of substantial change. “Well, with information technology, things are constantly changing,” said Walsh. “Those that have been indicating for meaningful use have had to re-consider their risk analysis year after year. In most cases, things are either yearly or continuing.
“So in practical terms, the goal is to ultimately end up in maintenance mode,” he adds. “A good compliance officer’s job is to assure that through this journey, you’re remaining on the right tracks.”
In light of the ever-changing atmosphere for data security, Walsh will caution workshop attendees about appealing to be HIPAA-compliant.
“That’s a bold statement if you don’t have any way to back it up. Even if you are, it’s a snapshot in time. Maybe you are compliant today, but you could be out of compliance a month from now because somebody introduced new technology, it changed your network and thus created some new vulnerability that you’re not aware of,” Walsh includes.
At the same time, though, being well-informed about HIPAA can help executives achieve both business goals and security objectives. For example, counter to a general delusion, HIPAA does not instructs that users change their system passwords every 90 days.
“The required action is to authenticate users, and there are other compensating controls that could be incorporated to address authentication,” Walsh continues. “Innovative forms of validation like biometrics or even smart cards or tokens are far more protected than using the outdated passwords. That’s where we can take the discussion and move away from passwords altogether. There are ways that to make it easier to get the job done and still meet the intent of confirmation.”
He determines, “That’s how I would use security as a business enabler, not an inhibitor.”