Securosis Blog | What No One is Saying About that Big HIPAA Fine.
Rich Mogull at Securosis is claiming that security vendors should not use the HHS HIPAA fine to Cignet Health for $4.3 million as a motivator to improve information security.
While I agree that this HHS fine and the $1 million Mass General fine had nothing to do with IT security, it seems to me that HHS is signaling that it is serious about enforcing HIPAA security and privacy rules. After all, HIPAA was passed in 1996 and these are the first ever fines issued.
You certainly can take Rich’s approach that the Cignet fine is just about “big boxes of paper and a bad attitude.” But I would not want to be the organization that suffers an information security breach due to lax controls.
For example, if you had decided to use the SANS 20 Critical Security Controls as your prescriptive information security guide and had implemented all of the Quick Wins and Visibility/Attribution sub-controls, some/most of the Config/Hygiene sub-controls, with a plan for the rest and the appropriate Advanced sub-controls, and still suffered a breach, you surely could not be tagged with “willful negligence.”
We will see what if any fine HHS levies against the New York City hospital system which admitted to a breach affecting 1.7 million hospital staff, patients, vendors, and contractors.
TrueDLP » Is It Time to Take HIPAA Seriously?.
Last week Cignet Health was fined $4.3 million by the OCR for violating privacy provisions in HIPAA. The fine was based on a failure of that organization to comply with requests from 41 patients to access their records and resulting failure to cooperate with the HHS Office for Civil Rights investigation. In addition, Massachusetts General Hospital was fined $1 million for potential HIPAA violations.
These are the first two fines issued by HHS and they were large due to HHS’s classifying these incidents as “willful neglect.”
I would say the answer is yes, it’s time to take HIPAA seriously.
Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.
A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.
According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.
It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.
In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.
American Medical News reported today (Feb 1, 2010) that the first lawsuit has been filed by a state Attorney General for a personal medical information privacy violation under the HITECH Act. The HITECH Act, part of the 2009 stimulus bill, was designed to strengthen HIPAA, which until then had limited penalties for violations.
If the HITECH Act itself was not enough of a wake up call, this lawsuit surely ought to be.
The Department of Health and Human Services this week published the regulations for the "breach notification" provision of the Health Information Technology for Economic and Clinical Health (HITECH) Act, of the American Recovery and Reinvestment Act of 2009 (ARRA). In effect, this is an extension of HIPAA and further strengthens HIPAA's Privacy Rule and Security Rule.
The new breach notification regulations are in a 121 page document. HHS also issued a press release that summarizes the new regulations.
This type of breach notification regulation started in California with SB 1386 which went into effect on July 1, 2003. Since then about 40 other states passed a similar law.
In 2008, California went on to pass a specific health care information protection law, SB 541, which requires notification of breaches and financial penalties up to $250,000 per incident. Here is a Los Angeles law firm's presentation on it. Since SB 541 went into effect on January 1, 2009, there have been over 800 incidents reported.