HIPAA preparedness: A journey without end
When Tom Walsh became the first information security manager for a large, multi-hospital system in Kansas City in 1992, people outside the organization had little idea of what the job entailed.
"Since then, my goal has been to have one boring day — but it has never happened," says Walsh, founder and CEO of tw-Security, a firm focused on protecting clients' information resources.
Walsh will moderate "Navigating the Practical and Legal Aspects of HIPAA," an all-day workshop, on April 12 at HIMSS15 in Chicago.
He describes the pursuit of HIPAA compliance as a "perpetual journey" shaped at times by new technology and data-sharing requirements that didn't even exist when the rules were finalized.
For example, according to the National Institute of Standards and Technology, a security risk assessment should be conducted at least once every three years unless an organization undergoes some kind of significant change. "Well, with information technology, things are constantly changing," explains Walsh. "Those that have been attesting for meaningful use have had to re-evaluate their risk analysis year after year. In most cases, things are either annual or ongoing.
"So in practical terms, the goal is to eventually end up in maintenance mode," he adds. "A good compliance officer's job is to make sure that through this journey, you're staying on the right tracks."
In light of the ever-changing environment for data security, Walsh will caution workshop attendees about claiming to be HIPAA-compliant.
"That's a bold statement if you don't have any way to back it up. Even if you are, it's a snapshot in time. Maybe you are compliant today, but you could be out of compliance a month from now because somebody introduced new technology, it changed your network and thus created some new vulnerability that you're not aware of," Walsh observes.
At the same time, however, being knowledgeable about HIPAA can help executives accomplish both business goals and security objectives. For instance, counter to a popular misconception, HIPAA does not mandate that users change their system passwords every 90 days.
"The required action is to authenticate users, and there are other compensating controls that could be incorporated to address authentication," Walsh continues. "Newer forms of authentication like biometrics or even smart cards or tokens are far more secure than using the traditional passwords. That's where we can take the discussion and move away from passwords altogether. There are ways that to make it easier to get the job done and still meet the intent of authentication."
He concludes, "That's how I would use security as a business enabler, not an inhibitor."
The HIMSS15 workshop panel will be staffed by:
· Lee Kim, JD, HIMSS director of privacy & security
· Adam Greene, JD, MPH, an attorney with Davis Wright Tremaine
· Rita Bowen, MA, RHIA, senior vice president of HIM and privacy officer at HealthPort
· Mark Dill, director of information security at Cleveland Clinic
Workshop space is limited to 70 attendees.