Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

For the past half decade, legions of newly minted security officers in the health-care industry have been scrambling to meet first a privacy rule and now this security rule, which were both hammered out by the U.S. Department of Health and Human Services under the mandate of HIPAA, passed by Congress in 1996. (The compliance date for a third rule, which involves electronic transactions and code sets and is intended to streamline how health-care organizations process payments, was October 2003.)

CISOs in other industries have mostly yawned their way through the show. But, like it or not, an increasing number of them will soon be participants in, rather than observers of, the government's efforts to improve information security.

The Gramm-Leach-Bliley Act already has had an impact on financial services companies. Federal agencies are grappling with the Federal Information Security Management Act. Publicly held companies are looking at what role information security will play in assuring their internal controls, as required by the Sarbanes-Oxley Act's Section 404. Companies that do business in California are sorting out SB 1386, which requires them to have processes in place to notify customers whose personal information has been compromised. There are even rumblings of mandatory Securities and Exchange Commission disclosures about information security.

Yet no other industry has done as much to comply with such regulationsor been as open about their compliance effortsas the health-care industry.

Halfway between the April 2003 deadline for the HIPAA privacy rule and the April 2005 deadline for the security rule, we spoke with health-care CISOs about the gritty details of compliance. Here, they share what they're learning on their way down a road that you too may be destined to travel.

And at least one CISOwhose organization is working to comply not only with HIPAA but also with California's SB 1386 and, voluntarily, Sarbanes-Oxley Section 404thinks that it's about time.

"If all the regulations had come out 20 years ago," says Pacific Life Insurance Assistant Vice President and CISO Micki Krause, whom (ISC)2 named in 2003 as its top information security professional, "we'd all be in a better state."You Are Where?Rita Aikins isn't sure just yet what will be involved with bringing the Providence Health System into compliance with HIPAA's security rule. But she knows the process has to start with a risk assessment. Aikins is busy amassing a huge database of department, host/server and application surveys, which compare the requirements of the security rule with the realities at Providence, the Seattle-based nonprofit organization where Aikins is system director of privacy and information.