Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

April 01, 2004 — CSO — Three blocks north of Union Station in Washington, D.C., on the seventh floor of an ordinary brick building, a small office of the U.S. National Archives and Records Administration churns out a publication known as the Federal Register. This newspaper of sorts, which runs to hundreds of pages per business day, is the public record of rules, proposed rules, and notices that have been issued by federal agencies and executive orders from the president. In the office's library, there are shelves upon shelves of blue-green books that hold past issues of the Federal Register, a bureaucratic archive stretching back to 1935. And if you look up Volume 68, No. 34, Appendix A to Subpart C of Part 164, you'll find a 169-word security standards matrix that tells you everything you ought to be doing to protect your electronic data.

There are no surprises here, just the elegant obvious. Administrative safeguards. Physical safeguards. Technical safeguards. In all, three dozen specific action items, from data backup to password management to encryption, are pulled together on a one-page chart that summarizes a security rule laid out in the preceding 46 pages. And for all its brevity, this security matrix is an unexpected runaway success, the My Big Fat Greek Wedding of federal documentation, if you willa work that no one thought would have a particular impact but that was so accessible it took on a life of its own.

Two-thirds of an early-screening audience requested that the security matrix make its way into the final version of this security rule. It has provided the structure for countless security audits and gap assessments, for task forces and toolkits.

And it's just as important for what it's missing as for what it contains. You see, despite the fact that what we're talking about here applies only to companies in the health-care industryit was issued under the Health Insurance Portability and Accountability Act, or HIPAAit could apply to any company in any industry. First and foremost, this section of HIPAA documentation is about security.

"These are simply good practices," says Kate Borten, CISSP, who is president of health-care consultancy The Marblehead Group. "There's nothing specific to health care in the rule. This is textbook security 101."

"The regulation in general is highlighting good security practices that most security professionals agree on anyway," echoes Paul Scheib, CISO of Children's Hospital Boston. "The term EPHI [electronic protected health information] isn't relevant to other industries, but you could substitute 'business-critical information,' because any business is trying to protect its most critical information."