Welcome to The HIPAA Survival Guide Newsletter
The hacking of Community Health Systems and the theft of 4.5 million records containing ePHI has sent a shockwave through the HIPAA compliance community. Many high profile executives are now calling for a change from a "compliance strategy" to a "risk management strategy." What these executives mean is that it is not enough to simply comply with the regulations, but rather, that an organizations need to proactively manage (read anticipate) risks in order to effectively reduce the legal liability and other harm that results from a significant breach. However, as discussed in this article, compliance and risk management are not mutually exclusive concepts. In fact, if your organization does not include the latter in the former, then you have been doing it wrong all along. The intent of the HIPAA regulations is not to achieve compliance, but rather to "force" heatlhcare organization to more effectively manage risks.
What's Needed is Agile Compliance
We wrote previously that 2014 would be the year of Agile Compliance. This was long before the recent breaches shocked the healthcare industry and caused even savvy executives to rethink their strategies (or at minimum to recommend that others do so). However, that a Chinese (or Russian, or American) organized crime organization (potentially state sponsored) targeted heatlhcare is not a shock to anyone that has been reading the tea leaves for years now. These are not black swan events, but rather events that even lay observers of healthcare's disdain for rigorous privacy and security could have, and were, predicting. Healthcare is probably a decade behind financial services in terms of security. Five years after the promulgation of the HITECH Act, the industry just now appears to awakening slowly and clumsily from its privacy and security slumber.
We have also previously written about the case for real-time risk assessments. What this means is a shift in thinking from a Risk Assessment as something that is done periodically (i.e. once a year) to something that occurs on a daily, near real-time, basis. The fact of the matter is that the majority of healthcare organizations have yet to complete a single rigorous Risk Assessment, let alone having adopted a policy of completing a Risk Assessment at least once a year. In short, organizations continue to grapple with "mere compliance." Most have not begun the adoption of proactive approaches required to prevent breaches (i.e. most appear content with an approach of responding according to applicable law once a breach occurs).
Here we intend to discuss the synthesis, conceptually, between an Agile Compliance strategy and a movement toward preventing breaches using a near real-time Risk Assessment approach. Getting the entire healthcare industry to rethink compliance from "necessary evil" to prevention requires more than a simple change in vocabulary. It requires adopting an iterative compliance methodology that transforms the organization's thinking from a linear step-wise compliance approach to a constant work-in-progress evergreen approach.
Big Data to the Rescue or NOT?
We are going to assume, for the purposes of this article, that you have managed to rebuild the Titanic at sea and have transformed your organization into a practitioner of Agile Compliance. Granted, that's a huge assumption because at this point in time it is unlikely that "Agile" is even on your radar given the healthcare industry's "groupthink" compliance mindset. However, discussing a breach prevention strategy requires this assumption and so, consider your organization duly transformed. Specifically, as part of this transformation, you have convinced your executive team that quarterly Risk Assessments are appropriate. Although, organizationally this is a significant step in the right direction, it is not nearly enough given the quickly evolving and increasingly more sophisticated threat landscape that the industry faces.
In "Internet time" a Risk Assessment once a quarter might as well be a lifetime. Your organization will still be reactive and instead of proactive vis-a-vis breach prevention. The threat landscape changes on a daily basis. The next zero day hack is already in progress. The bad guys clearly understand how data rich and security poor the healthcare industry is. It is, and will continue to be, a prime target. OK, we get it. Healthcare has a problem. What's the solution? There is no solution per say in any classical sense of the word. Security is the quintessential wicked problem. However, there is way forward. Your organization must become as smart or smarter than the bad guys. This won't happen overnight and you are going to need some help; lots of help. That is where Big Data enters the picture.