For a long time many, in the security industry felt that HIPAA had no bite. That until there were a few examples of healthcare companies made to pay the piper for HIPAA violations, the entire industry would not toe the line. Well, if that were the case at one point, it is not anymore. Over the last year or so, there has been a pretty steady stream of fines levied for violations of HIPAA regulations resulting in patients' electronic confidential data being breached.
Two of the most recent fines levied were a $400k fine against the University of Idaho as a result of a breach at a series of clinics they operate and a whopping $1.7 million fine against Wellpoint for violations between 2009 and 2010. Both of these cases were a little different than the usual HIPAA case in that they did not deal with a laptop or backup containing patient data being lost. In the case of Wellpoint, they had an online application database that was accessibile with over 600,000 patients' information available. The Idaho case is even more shocking - they inexplicibly shut down a firewall for over 10 months!.
I had a chance to sit down and speak to some experts about these recent cases and the general state of HIPAA compliance. Our conversation is below. It is a little long, at 26 minutes, but I think it is well worth the listen. I am joined in this conversation by my friend Steve Spearman of HIPAA managed services provider Health Security Solutions, Billy Austin, President and co-founder of iScan Online, and Tim Woods, VP of customer technology services at Firemon. All three guests had some great advice on how healthcare providers can better stay on the right side of the HIPAA regulations and avoid being the next organization in the headlines.
Of course, not turning your firewall off is an easy one, but often it is not as black and white in terms of compliance. With more and more medical data being converted into eletronic records, there is greater emphasis on storing this data safely and securely.
Have a listen and if you have any questions or comments please post them and will try to get our panel members to answer. (if you don't see a media player below, please reload the page)
As co-founder and Managing Partner at The CISO Group, Alan Shimel is responsible for driving the vision and mission of the company. The CISO Group offers security consulting and PCI compliance management for the payment card industry. Prior to The CISO Group, Alan was the Chief Strategy Officer at StillSecure. Shimel was the public persona of StillSecure as it grew from start up to helping defend some of the largest and most sensitive networks in the world.
Shimel is an often-cited personality in the technology community and is a sought-after speaker at industry and government conferences and events. His commentary about the state of security, open source and life is followed closely by many industry insiders via his blog and podcast, "Ashimmy, After All These Years" (www.ashimmy.com). Alan is now also a regular contributor to The CISO Group’s security.exe blog and podcast. Follow him on Google.
Alan has helped build several successful technology companies by combining a strong business background with a deep knowledge of technology. His legal background, long experience in the field, and New York street smarts combine to form a unique personality.
Disclosure: The CISO Group sells a software-as-a-service PCI compliance application called SAQPro. The company is independent and does not represent any other vendor's products as a reseller.
Policy on comments: Respectful discussion is welcomed! However comments that use inappropriate language, consist of name calling or personal attacks, or include accusations of wrongdoing are not appropriate. Those comments will be deleted or edited.