HIPAA Survival Guide Newsletter October 2014 Archive

Your HIPAA Compliance Companion
HSG Header
October 2014                                                                                                               Issue 59
October Webinar: Changing Threat Landscape: Why Breach Notification Remains the 800 Pound Gorilla?

Description: This webinar explores the quickly evolving HIPAA threat landscape and how organizations should be prepared when (not if) a breach occurs.

Thursday, October 23, 2014 2:00 PM - 3:30 PM EDT
Register Here
HIPAA Survival Guide Newsletter: Healthcare's Evolving Threat Landscape: a New Vocabulary is NOT required!


Welcome to The HIPAA Survival Guide Newsletter


     The hacking of Community Health Systems and the theft of 4.5 million records  containing ePHI has sent a shockwave through the HIPAA compliance community. Many high profile executives are now calling for a change from a "compliance strategy" to a "risk management strategy." What these executives mean is that it is not enough to simply comply with the regulations, but rather, that an organizations need to proactively manage (read anticipate) risks in order to effectively reduce the legal liability and other harm that results from a significant breach. However, as discussed in this article, compliance and risk management are not mutually exclusive concepts. In fact, if your organization does not include the latter in the former, then you have been doing it wrong all along. The intent of the HIPAA regulations is not to achieve compliance, but rather to "force" heatlhcare organization to more effectively manage risks.


What's Needed is Agile Compliance


     We wrote previously that 2014 would be the year of Agile Compliance. This was long before the recent breaches shocked the healthcare industry and caused even savvy executives to rethink their strategies (or at minimum to recommend that others do so). However, that a Chinese (or Russian, or American) organized crime organization (potentially state sponsored) targeted heatlhcare is not a shock to anyone that has been reading the tea leaves for years now. These are not black swan events, but rather events that even lay observers of healthcare's disdain for rigorous privacy and security could have, and were, predicting. Healthcare is probably a decade behind financial services in terms of security. Five years after the promulgation of the HITECH Act, the industry just now appears to awakening slowly and clumsily from its privacy and security slumber.


    We have also previously written about the case for real-time risk assessments. What this means is a shift in thinking from a Risk Assessment as something that is done periodically (i.e. once a year) to something that occurs on a daily, near real-time, basis. The fact of the matter is that the majority of healthcare organizations have yet to complete a single rigorous Risk Assessment, let alone having adopted a policy of completing a Risk Assessment at least once a year. In short, organizations continue to grapple with "mere compliance." Most have not begun the adoption of proactive approaches required to prevent breaches (i.e. most appear content with an approach of responding according to applicable law once a breach occurs). 


    Here we intend to discuss the synthesis, conceptually, between an Agile Compliance strategy and a movement toward preventing breaches using a near real-time Risk Assessment approach. Getting the entire healthcare industry to rethink compliance from "necessary evil" to prevention requires more than a simple change in vocabulary. It requires adopting an iterative compliance methodology that transforms the organization's thinking from a linear step-wise compliance approach to a constant work-in-progress evergreen approach. 


Big Data to the Rescue or NOT?

     We are going to assume, for the purposes of this article, that you have managed to rebuild the Titanic at sea and have transformed your organization into a practitioner of Agile Compliance. Granted, that's a huge assumption because at this point in time it is unlikely that "Agile" is even on your radar given the healthcare industry's "groupthink" compliance mindset. However, discussing a breach prevention strategy requires this assumption and so, consider your organization duly transformed. Specifically, as part of this transformation, you have convinced your executive team that quarterly Risk Assessments are appropriate. Although, organizationally this is a significant step in the right direction, it is not nearly enough given the quickly evolving and increasingly more sophisticated threat landscape that the industry faces. 


    In "Internet time" a Risk Assessment once a quarter might as well be a lifetime. Your organization will still be reactive and instead of proactive vis-a-vis breach prevention. The threat landscape changes on a daily basis. The next zero day hack is already in progress. The bad guys clearly understand how data rich and security poor the healthcare industry is. It is, and will continue to be, a prime target. OK, we get it. Healthcare has a problem. What's the solution? There is no solution per say in any classical sense of the word. Security is the quintessential wicked problem. However, there is way forward. Your organization must become as smart or smarter than the bad guys. This won't happen overnight and you are going to need some help; lots of help. That is where Big Data enters the picture. 



Product Videos 
 Subscription Plan 

 Business Associate Agreement 

Privacy Rule Checklist 


 Breach Notification Training   Breach Notification Framework   HIPAA CSMM Checklist 

HIPAA Survival Guide Store



Jumpstart your Compliance Initiative with our Subscription Plan Suite
or choose from Individual Compliance Products to fit your needs.



Products Training Checklists
Model Mobile Policy HITECH Act Training Privacy Rule Checklist
Model Privacy Rule Policy Security Rule Training Security Rule Checklist 
Model Notice of Privacy Practices Privacy Rule Training Cloud, Social Media and Mobile Checklist
Model Security Rule Policy Breach Notification Training Three Checklist Combo Package
Breach Notification Framework Business Associate Training  
Breach Notification Policy HITECH Core Training Combo  
HIPAA Frameworks Combo
Omnibus Rule Training  
HIPAA Survival Guide 4th Edition Mobile Devices Training  
Business Associate Agreement Social Media Training  
Security Rule For Business Associates Risk Assessment Training  
Business Associate-to-Business Associate Agreement Risk Management Program Training  
  Agile Compliance Training*  
  *Subscription Plan Only  

Stay in the "Loop" - Join the HIPAA Survival Guide Conversation On


  FaceBook                                         LinkedIn  




Copyright 2014 All Rights Reserved