Heads up, InfoSec friends in the US - HIPAA
It is hard to believe that the HIPAA rule was passed almost 30 years ago. And, to me, it is surprising that the folks at HHS/OCR are just now getting around to correcting one fundamental mistake in the security rules. If you follow this regulatory area, you know that some of the security rules are mandatory and some of them are “addressable”. What does addressable mean? It means you should do it, but you don’t have to. In the security world we know what that means. If you don’t have to do it, you probably won’t. And that’s exactly what happened – health care data breaches have just increased over time. Recently we saw the massive Change Healthcare breach with about 100 million (!) records lost.
HHS/OCR is now planning on an update to HIPAA security rules related to encryption and some other areas. This Notice of Proposed Rulemaking (NPRM) just arrived in my inbox this week:
https://www.hhs.gov/hipaa/for-professionals/security/hipaa-security-rule-nprm/factsheet/index.html
It takes time for this to work through the bureaucratic process, but given the history of losses of Protected Health Information (PHI and ePHI), I think this will eventually become the rule. Notice that the distinction between “mandatory” and “addressable” is going away. Also notice the focus on encryption of data at rest.
Most health organizations (Covered Entities and Business Associates in HIPAA lingo) have done work to encrypt laptops but that is not where the juicy stuff resides. It’s in those big medical application databases. So, this will be a big change.
If you provide IT and/or security expertise to an organization covered by HIPAA, I suggest the following initial steps:
· Map the healthcare data flows. You will need this to implement an encryption strategy, and it will be required under the proposed rules.
· Start talking to your software vendors. Companies like Epic and Cerner (from Oracle) will address this through software updates and you will need to know their proposed schedules. In my experience it is the smaller software vendors who will need prodding. Make a list and give them a call.
· Assess the impact on your hardware environment. Encryption may require upgrades to handle increased demand on CPUs.
· Encryption key management with a proper KMS is probably the biggest challenge to an encryption strategy. Understand best practices in this area and be sure your vendors line up. Getting this right at the beginning will save a lot of headaches later.
· Start talking to management right now. This will be a significant change and they should get prepared.
Yes, I know – encryption is not a perfect solution. No security solution that we deploy is perfect. But it can substantially reduce the loss of unprotected healthcare data.
I will try to post more about this as the proposed rule-making proceeds.
[#]HIPAA #InfoSec #Security #IT #MSP #MSSP
=> More informations about this toot | View the thread | More toots from patrick_townsend@infosec.exchange
=> View hipaa tag | View infosec tag | View security tag | View it tag | View msp tag | View mssp tag This content has been proxied by September (ba2dc).Proxy Information
text/gemini