HIPAA Covered Entities are Still on their Heels.
Estimated reading time: 2 minutes
The Healthcare industry in the US as a whole is still on its heels when reacting to cyber security issues and the lack of industry standardization is not helping business decision makers manage this aspect of their business.
A lack of industry standardization can be frustrating not only to the IT professional but even more so for business decision makers who already have trouble understanding the lingo that is common for IT professionals. Doctors just want to practice medicine, and after the wave of the worst written document in US Government history (HIPAA), it is a daunting and scary task for medical professionals to understand what they have to do for compliance, and actually do it without much help on the specifics of Information Security from HIPAA.
It is very likely that the next wave of attacks will be an attack on data integrity coupled with the lack of an organization to find people to protect their data. (Attacks on Integrity and Accountability)
The best course of action, for a small or medium sized HIPAA covered entity, could take is to:
1. 1. Just keep reading HIPAA until you understand it. It takes a few times, is sometimes contradictory, and it is obviously very frustrating. But don’t worry; everyone is in the same situation. Once the compliance part is done…
2. 2. Check out the FFIEC IT Handbooks. The financial industry has very clear regulations and specific tools and methodologies to have your systems up to par and serves as a good example of a well-managed regulation.
3. And of course, keep the ISO 27000, and NIST SP 800 series in your back pocket. Some of the NIST SP 800 series documents also have information on how to understand HIPAA rules. Additionally, if anything new is going to show up with HIPAA, it will likely be formed from these documents.
These are a good place to start to understand the lingo and what is going on in the Cyber Security world. On top of this, a good core system provider would be the best option for small and medium sized HIPAA covered entities. Using NIST Special Publications and the HIPAA regulation as references should provide a decision maker with enough knowledge for selecting the right company to manage your systems.