HIPAA poses greatest compliance challenges for information security

A survey of 100,000 network administrators found HIPAA to be the most challenging information security regulation to implement
A survey of 100,000 network administrators found HIPAA to be the most challenging information security regulation to implement

According to an Ipswitch survey of 100,000 network administrators, 38.2% said that HIPAA was the most challenging information security regulation to implement, followed by the Sarbanes-Oxley Act with 29.3% and the Federal Information Security Management Act with 9.3%.

“Enterprises, financial institutions and health care providers are under intense scrutiny to protect the confidential information of their patients and clients”, said Ennio Carboni, president of Ipswitch’s Network Management Division. “Regulations are updated regularly, as are the hackers’ and thieves’ methods of exploiting them.”

Kurt Johnson, VP of strategy and corporate development at identity access management product firm Courion, noted that the Department of Health and Human Services’ HIPAA checklist is quite extensive.

“The overwhelming majority of those checklist items for IT are doing things such as establishing user access for new and existing employees, understanding individuals and contractors with access to electronic health information, terminating user access, and monitoring system use to see what is authorized and not authorized”, he told Infosecurity.

A major driver of HIPAA compliance is the health care industry’s move to electronic patient records. “You have this perfect storm brewing where you’ve got more electronic health information available than ever before, you’ve more people needing that data…and more electronic devices [to share the information] than ever before”, Johnson said.

In addition, “doctors are a pretty tough user base to deal with. They are well educated and think they know more about everything than anybody else, and that includes IT….So if you put too much security in front of them, they are going to subvert that process…in the name of patient care", he observed.

“The need for the medical community to share information in the name of patient care has given rise to a lot of security issues, such as…how from an IT security perspective do we put the proper controls in place to ensure that the people accessing the information have that need to know…while at the same time keeping out the people who don’t need it”, Johnson said.

The revision of the HIPAA rules and the passage of the Health Information Technology for Economic and Clinical Health (HITECH) Act in 2009 have increased the regulatory compliance burden on organizations, Johnson observed. First, the changes have increased enforcement and fines. Second, the disclosure requirements for patient data breaches have been expanded significantly.

“If there is a breach, it has to be disclosed, not only to the individual, but via a media outlet….The requirement to notify is a significant concern to the hospital because they don’t want their name broadcast on the news due to a patient privacy violation”, he concluded.

What’s hot on Infosecurity Magazine?