Health Information Portability and Accountability Act (HIPAA) requirements are not new to information security and privacy professionals. A well-managed information security function must be in place to protect a health care organization’s technology and processes, and also protect sensitive data such as electronic protected health information (ePHI). However, emerging technologies and the depth and quality of regulatory audits and reviews require organizations to be agile--addressing emerging areas such as medical device security, vendor management and business associate security.
Mature health care organizations can also leverage the IT audit function to fully understand and manage their risk posture. Unfortunately, in many cases IT audit, IT security and health care privacy operate in silos. However, optimal results are realized when these groups have a robust partnership and work in concert.
Recent rule changes and more aggressive regulatory enforcement have led to significant fines for noncompliance and increased pressure to implement effective security measures. In most cases, it is costlier to react to a security issue than to proactively invest in a mature security framework. A data breach can lead to severe financial sanctions, costs to respond to the breach, reputational damage and potentially jeopardizing sensitive patient information.
However, even amid a rapidly changing information security environment, health care organizations can employ several strategies to better secure their environment. Implementing an existing, formalized framework can increase security measures and align with HIPAA compliance demands. In addition, collaboration and alignment between IT security and IT audit can bring consistency to risk management efforts and can allow the organization to manage HIPAA compliance risks and general controls, and allow management to take a broader view of enterprise-wide risks.