During a recent discussion with several folks concerning the challenges we still see in healthcare data security, leading healthcare security compliance expert, Brian Evans, shared an interesting perspective that I wanted to pass along.

Though it’s been over six years since the HIPAA Security Rule was finalized, hospitals across the country are still not sure how compliant they are and whether their current efforts are effectively managing information risk. With the HITECH Act strengthening HIPAA and Meaningful Use requirements, hospitals are increasingly coming under pressure to prove that they are compliant. The odds of an unannounced audit by the Office of Civil Rights (OCR) and subsequent financial fines and penalties for breaches and non-compliance have risen significantly since the security rule’s deadline in April 2005. And, HHS has launched its random audit program with the promise that it is here to stay.

Meeting HIPAA Security requirements is just one of many drivers calling for an increased standard of due diligence with respect to managing information risk. Hospitals need to address myriad security requirements besides HIPAA such as the Red Flags Rule,  Federal Rules of Civil Procedure, PCI Data Security Standard, FTC’s 21 CFR Part 11 and various state laws. Unfortunately, the efforts to meet all these requirements often results in a fragmented, disjointed collection of information security products and policies. The complexities in IT and the diverse use of confidential data in healthcare today only exacerbates a hospital’s need to go beyond just HIPAA compliance in order to properly manage its information risk. Bruce Schneier, internationally renowned security technologist and author, reminds us “complexity is the enemy of security.”

The best approach to address this issue is to ensure a comprehensive set of security controls aligned with an industry-accepted security framework. This approach provides greater assurance that information risk and compliance requirements are adequately managed and future requirements can be proactively addressed. A congressional cyber-security task force has recognized this problem and proposed a solution. Its solution would create a “super-standard” that consolidates federal mandates, such as HIPAA, ito one set of standards.  This approach is generally supported by most information security professionals. Even privacy experts understand this approach, as demonstrated recently by Deven McGraw when testifying in front of the Senate Judiciary Committee’s panel on privacy, technology and law Chaired by Sen. Al Franken, D – Minn.

The volume of confidential data processed and transmitted by hospitals grows every year. Trying to protect this data with a patchwork of independent security solutions and procedures is a formula for disaster. Hospitals should have a consistent and comprehensive approach to managing information risk and compliance requirements. There is no substitute to implementing an information security framework.

Brian’s perspective is spot on. If we want to see real improvement made in healthcare data security, we need to use a better measuring stick than just HIPAA or HITECH. Neither represents a solid information security framework from which to build a security program. Maybe Senator Franken will get it done.