Iliana Peters, the former acting deputy director for health privacy at the Office for Civil Rights (OCR), agreed with Dr. Schneck’s point, made earlier in the day, that compliance doesn’t constitute security, but she believes that “nimble” regulations can be very useful. She cites HIPAA as an example—HIPAA is technology-neutral and is universal enough that it can be adjusted to fit any organization. HIPAA applies to all organizations that create, maintain, or transmit protected health information (PHI). HIPAA applies to unauthorized data access, not just data exfiltration.
The first thing OCR does is request a data inventory, which is something that organizations should have, regardless of whether or not they’ve been attacked. 80% of these requests end in a settlement or a fine, meaning that 80% of the time, organizations can’t produce an inventory of all of their data.
HIPAA also applies to vendors and business associates that store data. Organizations need to know which of their associates are storing or handling data, and they need to have Business Associate Agreements with these entities to ensure that the data is being stored securely.
The primary type of threat that causes HIPAA violations has shifted from remote hacking to insider threats, which Peters says is a sign that healthcare organizations are encrypting the data that can walk away.
Settlements require the organization to implement corrective actions in addition to the fine. These include policy changes. Most settlements also include a training requirement.
Peters noted that Anthem’s record $16 million settlement was followed by a $111,400 settlement with Pagosa Springs Medical Center, which she said shows that OCR is focused on organizations of all sizes.
She said the NIST Cybersecurity Framework is a very helpful tool for IT personnel.