Notes from the Joint OCR/NIST HIPAA Security Conference
Written by: Dianne Bourque, Kimberly Gold, and Stephanie D. Willis
Workforce Training. Training and education were additional compliance measures highlighted throughout the conference. Education is “the best compliance tool” according to Matthew Scholl, Acting Chief of NIST’s Computer Security Division. OCR acknowledged that breaches were inevitable, but critical to any OCR enforcement decision is the existence of compliance measures and systems in place to address the inevitable breach, such as workforce training. As many of the speakers emphasized during the conference, during OCR’s Pilot Audit Program, 58 out of the 59 health care providers audited had at least one negative finding regarding Security Rule compliance. Government officials who spoke at the conference indicated their belief that inadequate workforce training was a key factor in yielding these audit findings. Moreover, their presentations made it clear that the agency may take an expansive view of who is part of a covered entity’s workforce.
Takeaway: No compliance program is effective if employees and contractors don’t know anything about it!
Adequate Encryption. Encryption was highlighted throughout the conference as a critical security measure and an entire panel was dedicated to Safeguarding Data Using Encryption. The NIST speakers in this session pointed out that encryption cannot prevent attacks or other losses of data, but can prevent a world of problems if the data is actually compromised. OCR enforcement officials echoed this theme by pointing out that 60% of breaches reported on OCR’s so-called “Wall of Shame” for data breaches affecting 500 individuals or more, resulted from theft and loss. According to OCR, encryption would have prevented all of these breaches. Further, the speakers in the encryption session made it clear that as breaches by outside actors get more and more sophisticated and medical identity theft gets increasingly lucrative, health care organizations need to ensure that the level of encryption is sufficient for their security needs.
Takeaway: Encryption is an addressable (not mandatory) security standard under HIPAA. However, in the event of a breach, investigation or audit, it will be extraordinarily difficult to convince OCR that encryption is not a reasonable security measure for your organization.
The entire agenda from the OCR/NIST conference is available here, along with links to the presentations and webcast audio.