Business Associates: A HIPAA Enforcement Priority?CynergisTek's Mac McMillan Calls for OCR to Focus on Vendors
In the year ahead, federal regulators need to ramp up their efforts to enforce HIPAA compliance among business associates because so many lack mature security controls, argues security expert Mac McMillan, CEO of the consulting firm CynergisTek.
Business associates in 2013 become directly liable for HIPAA compliance under the HIPAA Omnibus Rule, but the Department of Health and Human Services' Office for Civil Rights still hasn't announced any enforcement actions against any of those vendors. And McMillan says that's unfortunate, given that many of the companies that serve healthcare covered entities have yet to embrace the responsibility they have for safeguarding patient information.
"I'd like to see some of [OCR's] attention go to vendors with respect to the folks who are housing critical systems ... and critical data for our hospitals, and making sure they are doing the job that the hospital is expected to do in protecting patient information," McMillan says in an interview with Information Security Media Group.
McMillan laments what he calls "the lack of maturity in respect to security controls and security programs" at many business associates.
In many cases, he says, business associates "if they are doing anything at all, they're doing things like SOC 2 [Service Organization Control] evaluations around their data centers, and they look at that as their [HIPAA] requirement, and it's not that at all. That tells me how well you're managing your data center, but that doesn't tell me what your security program is like ... or how you're educating your workforce, or how you're managing their access to patient information or handling that information. What's most troubling to me is when we engage with a lot of the business associates today, we are finding out that they don't have mature security programs at all."
The Year Ahead
Looking ahead to 2016, McMillan expects to see many more hacker attacks in the healthcare sector. "We're going to see more external threats," he says. "The bad guys have figured it out that they can monetize the data that [the healthcare sector] has ... and that the information is not perishable; it's something that can be sold over and over again on the black market and is much more valuable than credit card information."
In the interview (see audio link below photo), conducted at a recent privacy and security forum hosted in Boston by the Healthcare Information Management and Systems Society, McMillan also discusses:
- His analysis of OCR breach-related enforcement actions in recent weeks, including the agency's $850,000 settlement with Lahey Hospital and Medical Center and also OCR's resolution agreement with insurer Triple-S Management that included a $3.5 million penalty;
- Key data security challenges facing the healthcare sector;
- Other health data security and privacy trends for 2016.
McMillan is co-founder and CEO of CynergisTek Inc. an Austin, Texas-based consultancy specializing in information security and regulatory compliance in healthcare, financial services and other industries. He has more than 30 years of security and risk management experience, including 20 years at the Department of Defense, most recently at the Defense Threat Reduction Agency. He is also chair of HIMSS' privacy and security task force.