Fly First Class and Pay Economy for HIPAA Compliance

The Office for Civil Rights enforces the HIPAA Privacy Rule, which protects the privacy of individually identifiable health information; the HIPAA Security Rule, which sets national standards for the security of electronic protected health information; and the confidentiality provisions of the Patient Safety Rule, which protect identifiable information being used to analyze patient safety events and improve patient safety.

Yikes – How can I do this HIPAA compliance thing for as little money as possible?

You have 2 options:

Option 1 – DIY

You can read the HHS documentation and and do it yourself. This is a not a bad option if you have the time and patience and have a solid understanding of information security and privacy compliance.

Even if you have the security background, be prepared to spend a lot of time reading documentation and getting up to speed on the relevant HIPAA security safeguards.

My colleague Dr. Martin Wehlou is a physician, software engineer and CISSP. Martin could do it himself. But – even if you are a Stanford Medical School graduate, you may want to get expert help on HIPAA compliance for your practice. Do not assume you understand.

If you are mobile app developer, think twice about the DIY strategy.

Consider that mobile healthcare medical devices need to be cleared by the FDA with a 510(K) submission for patient safety and also meet HIPAA requirements for patient privacy and security. Even though a medical device vendor itself is not a HIPAA covered entity, the vendor is considered a business associate to a covered entity and may be required to demonstrate provable security.

Option 2 – Hire a HIPAA compliance consultant

By now you realize that you should probably retain a HIPAA security and compliance consultant who will walk you through the security safeguards in CFR 45 Appendix A and help you understand what you need to implement.

How to get the most out of a HIPAA consulting engagement

You want 2 things from your HIPAA consultant:

1) You want him or her to help you consider multiple threat scenarios that threaten patient data, and do that for your specific business (medical practice, hospital, nursing home etc).

Ask you HIPAA compliace consultant to help you build a number probable threat scenarios – considering what could go wrong – employees stealing a hard disk from a nursing station in an ICU where a celebrity is recuperating for the information or a hacker sniffing the hospital wired LAN for PHI, or residents surfing adult sites with their radiology iPads.

2) Ask your HIPAA consultant to prioritize a set of the most cost-effective safeguards for your operation (and not copy and paste the last report he did for some other hospital).

Threat scenarios are the reality. Compliance regulation is the theory.

Dveloping realistic HIPAA compliance threat scenarios (as opposed to checking off the regulatory checklist) requires some work.

Threat scenarios are not “one size fits all”.

The threat scenarios for an AIDS testing lab using medical devices that automatically scan and analyze blood samples, or an Army hospital using a networked brain scanning device to diagnose soldiers with head injuries, or an implanted cardiac device with mobile connectivity are all totally different.

For a healthcare organization of up to 1000 employees and 1-3 physical locations, here is a rough rule of thumb to help you estimate how much time you should invest in the process.

Allocate 3-5 days brainstorming threat scenarios in a conference room with doctors, nurses and administrative staff – up to 7 people should do the job.

The process of brainstorming threat scenarios for HIPAA compliance has 2 steps:

1. Step 1 – consider how much your assets (people, systems, business, patient data) are worth in dollars and cents. Then consider, the likelihood of occurrence and cost of damage. These are all things that can be estimated or measured.
2. Step 2 – consider likely threats, for example: radiology tablets infected by malware and downtime that affects your ability to provide service is 1 threat scenario.

You and your HIPAA consultant should then spend another 2-3 days, analyzing the data and building a threat model. A good HIPAA consultant will help you look at your business from the perspective of an attacker and then recommend specific cost-effective, security countermeasures to mitigate the damage from the most likely attacks.

Now take the threat model back to the team and run it by them for a sanity check in a 1-2 hour meeting.

After the sanity check with the team that constructed the threat scenarios, you and your HIPAA consultant need to calculate your Value at Risk. Calculating VaR will help shed light on where to save money and where to spend money.

Using threat analysis for HIPAA compliance gives you 3 good things:

1. It gives you the right security safeguards, cheaper and more effective than implementing the entire checklist. Doing the right thing is good.
2. Managers, especially finance managers, relate well to the concepts of threat modeling. A good CFO understands the notion of value at risk, and being a good CFO, will want to implement the right compliance controls at the lowest cost. This is not a bad thing.
3. When you use threat scenarios, you create a common language between physicians and IT. This is a very good thing.