- Department of Health and Human Services (HHS) Chief Regional Civil Rights Counsel Jerome Meites recently predicted that there would be a considerable uptick in HHS data breach penalties within the next year, according to thehill.com.
“Knowing what’s in the pipeline, I suspect that that number will be low compared to what’s coming up,” Meites said, adding that he wasn’t speaking on the behalf of HHS. Meites’ comments should be the latest reminder to healthcare organizations that they should be prepared with transparent security programs in the face of upcoming HIPAA audits.
Anahi Santiago, Chief Information Security Officer (CISO) and Privacy Officer at Einstein Healthcare Network, explained to HealthITSecurity.com how much of the work that she did years ago within her organization has helped keep it equipped for a potential federal visit. In building her security program over her 9 ½ years at Einstein, Santiago said she has used pieces of a variety of different security frameworks as reference points. She sees all of the frameworks crossing paths and having similarities, so having a mix of the different frameworks makes the most sense.
We started with the NIST framework and weren’t overly-prescriptive with it; we used it as a baseline and have taken some pieces from COBIT and ISO, and we’ve certainly started to lean toward utilizing HITRUST. I would love, at some point, to transition the organization fully to HITRUST. But we recognize that no one framework is a good fit for the organization; especially in healthcare you recognize that no one framework will be a one-size-fits-all.
No healthcare IT security program these days should be without well-planned user training either, and Santiago said that Einstein trains employees on phishing attacks as part of its overall education awareness campaigns. These targeted educational sessions are not only for new employees but for annual compliance as well.
We do these for different areas in the organization, as we train them on protecting information on mobile devices on phishing or social engineering. And we are launching a campaign in the early fall to simulate phishing attacks where we send out phishing emails to targeted areas in the organization and see how they respond to use as yet another medium for education.
Whenever there’s a major breach at another organization, such as the recent Target breach, Santiago said she uses those instances as opportunities to educate its employees on what could happen at Einstein and what it means to them.
Lastly, Santiago touched upon the continual process of vendor management in complying with the HIPAA Omnibus Rule. According to Santiago, many of the elements that the new rule put into play were introduced when the HITECH Act was released in 2009.
We saw the writing on the wall and revised our business associate agreements (BAAs) back in 2009 and started the resigning efforts while transitioning our vendor management processes. At that time, we were a little ahead of the [BAA] game. I don’t get to say that very often, but that was certainly fortunate for us. We’ve been revising and revamping our vendor management strategy for more than 4 years.