By Mike Guiterman

If your estimated cost to establish compliance with the Health Insurance Portability and Accountability Act (HIPAA) across a company were $1 million but the penalties for a breach were capped at $50,000, what risk decision would you make? It’s a no-brainer. You could suffer 20 breaches before the cost of compliance would equal the penalties for non-compliance, so from a risk management perspective the risk of non-compliance is minimal.

However, the risk equation has changed, and HIPAA compliance must now take center stage for every healthcare organization.

The Health Information Technology for Economic and Clinical Health Act (HITECH Act) provisions of the American Recovery and Reinvestment Act of 2009 (ARRA) adds teeth to HIPAA and its accompanying Security Rules. It is no longer up to the victim to file a civil suit, HIPAA compliance requirements will be enforced by HHS and state attorneys general. In addition, beginning February 17, 2010 covered entities must self-report breaches to the media and face substantial penalties of up to $1.5 million per breach for failing to protect patient health information (PHI). In extreme cases, where willful neglect is proven to be the cause of the breach, financial penalties are unlimited. Given these changes to HIPAA, every healthcare organization must quickly take stock of their processes and technologies to ensure they can adequately meet the HIPAA Security Rules as governed by 45 CFR 164.306.

Because HIPAA does not include specific implementation guidance as do other compliance mandates, covered entities must fend for themselves to identify safeguards that ensure the confidentiality, integrity and availability of PHI. One option available to healthcare companies is the HITRUST Common Security Framework (CSF). The CSF outlines 136 best practice controls mapped across 13 security control categories. HITRUST also offers a certification program that can be used to measure and demonstrate compliance with HIPAA. Best practices and technologies defined in the CSF or that have proven successful in other industries long subject to strict security requirements can be successfully applied in the healthcare industry. These include:

Awareness: Know what and who is on your network and accessing data
Recognize that networks are dynamic with hardware and software on your network constantly changing to support a growing number of business partners, remote patient services and the exchange of electronic health records (EHRs). There aren’t enough hours in the day and most healthcare organizations can’t afford a large enough staff, nor want to use highly trained IT resources, to endlessly fine-tune solutions to continuously track everything on the network. Healthcare companies should invest in solutions that automatically maintain a real-time inventory of these assets and how they’re changing. New assets, new applications and configuration changes can introduce vulnerabilities that attackers look to exploit. Healthcare organizations need to be able to quickly identify and remediate weaknesses – before hackers find them.

Automation: Reduce the burden on personnel and minimize risk of human error by applying technology to repeatable processes
The key to implementing and maintaining effective security and complying with regulatory requirements is automation. Pressure and scrutiny regarding security and privacy spurs many organizations to rely on IT staff to monitor, analyze and apply knowledge about the IT landscape on an ongoing basis to protect constantly evolving networks and users. Based on lessons learned in other industries and government, these expectations have proven to be unrealistic. Because threats to the network are faster, smarter, more prevalent, and more elusive than ever before, people can’t be as vigilant as they need to be to watch for policy violations or flag abnormal network behaviors. Healthcare organizations should focus on technologies that reduce their effort not only to install and configure the technology, but also provide automation in monitoring and enforcing the organization’s network security policies including compliance rules and lists. Smart technologies that can provide automation in the areas of tuning, alert routing, policy enforcement and remediation are critical.

Aggregation – identify ways to satisfy multiple HITRUST CSF controls at the same time
When evaluating security products, healthcare organizations should focus efforts on identifying technology that offers more than a single feature. For example, an Intrusion Prevention System (IPS) which maintains asset profiles and their associated vulnerabilities, monitors and enforces configuration and acceptable use policies, and supports audit reports is a technology that can help manage multiple best practice technology controls to improve security and demonstrate compliance. Not only are such solutions typically more cost-effective at the initial purchase but require fewer IT security staff resources to maintain on an ongoing basis.

The HITECH Act is a wake-up call. Virtually every healthcare organization and business partner must identify and put into action processes and tools to satisfy the security requirements set forth in HIPAA nearly 14 years ago and essential to any successful healthcare reform initiative. Although the consequences of failing to protect PHI have never been more severe, the processes and tools available to safeguard that information have never been more robust.

Mike Guiterman is director of regulatory compliance products at Sourcefire.