HIPAA Covered Entities are Still on their Heels.

February 7, 2017 | Views: 2459

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here


Estimated reading time: 2 minutes

The Healthcare industry in the US as a whole is still on its heels when reacting to cyber security issues and the lack of industry standardization is not helping business decision makers manage this aspect of their business.

A lack of industry standardization can be frustrating not only to the IT professional but even more so for business decision makers who already have trouble understanding the lingo that is common for IT professionals. Doctors just want to practice medicine, and after the wave of the worst written document in US Government history (HIPAA), it is a daunting and scary task for medical professionals to understand what they have to do for compliance, and actually do it without much help on the specifics of Information Security from HIPAA.

It is very likely that the next wave of attacks will be an attack on data integrity coupled with the lack of an organization to find people to protect their data. (Attacks on Integrity and Accountability)

The best course of action, for a small or medium sized HIPAA covered entity, could take is to:

1.      1.  Just keep reading HIPAA until you understand it. It takes a few times, is sometimes contradictory, and it is obviously very frustrating. But don’t worry; everyone is in the same situation. Once the compliance part is done…

2.     2.  Check out the FFIEC IT Handbooks. The financial industry has very clear regulations and specific tools and methodologies to have your systems up to par and serves as a good example of a well-managed regulation.

3.       And of course, keep the ISO 27000, and NIST SP 800 series in your back pocket. Some of the NIST SP 800 series documents also have information on how to understand HIPAA rules. Additionally, if anything new is going to show up with HIPAA, it will likely be formed from these documents.

These are a good place to start to understand the lingo and what is going on in the Cyber Security world. On top of this, a good core system provider would be the best option for small and medium sized HIPAA covered entities. Using NIST Special Publications and the HIPAA regulation as references should provide a decision maker with enough knowledge for selecting the right company to manage your systems.

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. Thanks! Good overview for me as someone new to HIPAA. And a joke for you HIPPA people:
    Knock knock.
    Who’s there?
    HIPPA who?
    I can’t tell you that!

  2. “The HIPAA Rules are flexible and scalable to accommodate the enormous range in types and sizes of entities that must comply with them. This means that there is no single standardized program that could appropriately train employees of all entities.”


    This site provides a great starting point. To design protocols and implement policies you must understand it. I suggest this site as the best starting point for self edification and then following up with the appropriate enforcement body for the type of health provider you serve. There are also tons of sites that take apart the HIPAA rules and provide meaning for each type of provider; but it will never be an easily distilled process. Joint Commission, AHRQ, Nurse.com, AMA and each state all have quite a bit of information and access to training. When in doubt, seek out the enforcement agency(ies) for your stakeholders.

    Kudos on your suggestion to use the FFIEC IT rules as a template for protocols and to organize this process. These have been distilled over decades and decades. Brilliant!

  3. Nice article-thanks!

  4. Good write-up! Maybe you can reference some more specific NIST and ISO 27000 documents? I’ve been working to implement ISO 27001 within my company and it doesn’t reference HIPAA, but is rather a “best practices” and continual improvement guideline unique to the company’s needs and business.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge



We recommend always using caution when following any link

Are you sure you want to continue?