Getting Leadership on Board for SecurityMaking the Case for Compliance Resources
If your organization's leadership has been lukewarm to funding information security efforts, it's time to turn up the heat.
Enforcement of the HIPAA Omnibus Rule starts on Sept. 23, and non-compliance penalties can range up to $1.5 million per HIPAA violation.
There are lots of leaders who make decisions about resources and spending who have a lack of understanding about what's required.
But the cost of a breach goes far beyond potential federal penalties, including forensics, remediation, patient outreach and credit monitoring - not to mention potential lawsuits and a bruised reputation. So clearly, breach prevention is a good investment.
And you'd also better be prepared for the Department of Health and Human Services' Office for Civil Rights' random HIPAA compliance audits, slated to resume soon.
It's not just covered entities that need to worry about possible OCR enforcement actions. Under HIPAA Omnibus, business associates, as well as their subcontractors, are also directly liable for HIPAA compliance. That includes cloud services providers and health information exchange organizations.
You Might Be Next
Also keep in mind that OCR has had a pattern of cherry picking a variety of different HIPAA cases to spotlight in recent resolution agreements and settlements to emphasize that all types of organizations, including small clinics and even state agencies, are subject to enforcement (see WellPoint to Pay $1.7 Million Settlement).
My guess is that at least one of the first enforcement actions that OCR will take after Sept. 23 when the HIPAA Omnibus compliance grace period ends will be a case involving a business associate. Why? Because since September 2009, when the HIPAA breach notification rule under HITECH Act went into effect, more than 20 percent of the major breaches reported have involved a business associate.
Taking a Chance
Some experts predict that many covered entities and business associates won't bother stepping up their security efforts unless they, or one of their close peers, is smacked with a hefty federal penalty. "Until there is a consequence, businesses will take their chances," says Mac McMillan, CEO of the consulting firm CynergisTek.
The problem with information security efforts is that they require expertise and technology - and that can be costly. Getting spending approved by the senior executives who hold the purse strings can prove challenging.
"A big barrier is a lack of executive support for strongly implementing all compliance requirements," says security specialist Rebecca Herold, partner at the Compliance Helper and CEO of The Privacy Professor, a consulting firm. "There are lots of leaders who make decisions about resources and spending who have a lack of understanding about what's required."
McMillan tells the story of a healthcare CISO who has requested funding for encryption for the last three years. "But it gets chopped each year," he says. "This is not a smart business decision. The average cost of a breach far outweighs the cost of encrypting devices."
The CISO finally got the OK for encryption funding once the CEO, CFO and chief medical officer became much better informed about the potential costs of dealing with a breach, McMillan says.
Unfortunately, many other organizations also lack information security governance maturity, McMillan says. Leaders "won't support what they don't know about," he says.
McMillan says that a recent breach at Advocate Medical Group, a Chicago-area physician group practice, illustrates what can happen when security is inadequate.
The theft of four unencrypted computers at the medical group may have exposed information on about 4 million patients. Besides the lack of encryption, the apparent practice of keeping millions of patient records on desktop computers shows a lack of attention to security, McMillan contends.
Now Advocate faces investigations at both the state and federal levels.
Once HIPAA Omnibus Rule enforcement ramps up, many more organizations will undoubtedly face investigations and potential penalties. So if your organization has been procrastinating about sound security and HIPAA compliance practices, it's time for you to get serious about serving as a catalyst for action.
If you have any good examples of how to win support for information security funding, please share them in the comment area below.