Wednesday, June 13, 2007

If Everyone Cared

From another forum where I am a moderator comes this question from someone worried about IT security:

I was asked this question, and I'm not quite sure how to answer it. Where does one turn when they see a complete disregard and lack of importance in the compliance for HIPAA security. The privacy rules are basically followed. But on the technology side, they have policies in place that are just not followed, upper management has stated behind closed doors that HIPAA and security really aren't that important. There really is no one who is the HIPAA security officer. HR is the HIPAA privacy officer. And no one in the healthcare facility will take the issues seriously - even when approached by their own IT about its importance.
Where do they turn, and how do they go about it while keeping their job

The problem is, of course, that enforcement has been criminally lax. But with the recent change in power comes a new emphasis on enforcement, and there are going to be covered entities that are going to become the big, awful example. In the past very little was done when someone was found to be out of compliance, but recent news suggests that the tide is turning.
One of the most compelling reasons to follow the HIPAA security rules is that they are generally best practices anyway. The time to protect yourself is not after you have already been exposed.
All it would take would for there to be a big data loss, with PHI exposed, and those same scofflaws would be scrambling to save their behinds. And the goat would be the IT guy--- no matter the final outcome, the first instinct of those in charge is to blame underlings, and nobody likes IT people anyway.
The process is complaint driven, which means that someone has to rat them out first. The good news is that any affected person can complain, which in practice means just about anybody.
I would suggest the hair-on-fire approach, pointing out to the beancounters that the exposure is real, the dangers are extreme, and the risk to their jobs, the economic strength of the facility, and the possible irreparable PR disaster of a major data loss is not in any way worth not following procedures.
Of course, it is important to make certain that the procedures and policies don't interfere with the business at hand. Healthcare frontliners are notoriously hostile to extra steps that seem to make their primary mission more difficult. Your procedures need to be as transparent to the end user as possible, or they will be disregarded, bypassed or ignored.
The person may be able to convince management of the possible financial risks involved, as money seems to motivate. They may also volunteer to be the champion on this, as sometimes the only reason things don't happen is nobody wants to bell the cat.
Of course, without the buy-in of top management, this is all moot, because every organization is like a fish, in that it rots from the head down. Without a security officer, and absent help from on high, there is not much to be done.
Good luck on this!

No comments: