Managing HIPAA's Pain

Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.

"[The database] is huge. It's a ton of data," says Aikins. Her group already has compiled 139 application surveys for Oregon alonetheir starting point in the audit process because the capital budget process for Providence's Oregon region occurs earlier than in the other three states where the organization operates. At the end of January, Aikins was wrapping up this security audit in Oregon, and she hoped to have Washington, then Alaska and finally California done by June 30.

Aikins decided it would be more productive to conduct the audit in-house rather than hire a consultant. "I thought it would help if the people who were doing the risk assessment were the ones responsible for implementing the rule," she says. But until the security audit is done, her team can do little else. "The risk assessment gives us the gap analysis"the action items that will put the organization in compliance with the regulation. "Without the risk assessment, you are just kind of spinning."

The final security rule makes that much clear. In an earlier version of the security rule, the requirements were democratically unprioritized. But in the final version, HHS decided to make this risk analysis first on the list of administrative safeguardsthe top line on the security matrix. "We believe this forms the foundation on which all of the other standards depend," the rule states.

And that's how most health-care organizations rang in the new year, says Cindy Smith, senior manager with PricewaterhouseCoopers' HIPAA security and privacy practices. "Organizations are in the throes of their risk assessments," she says. "It's never going to be trivial. Everyone is realizing it's a lot of work, but it's not rocket science. It's standard risk assessmentidentifying what assets you have and what the risks and vulnerabilities are."

This risk assessment process is a component of Sarbanes-Oxley compliance as well. A few companies are integrating the process and doing a thorough enough assessment to meet both regulations, Smith says. Most, however, aren't. "Some people are saying, I don't want to bite off what I can't chew."

Either way, once the security assessment is complete, the real gnashing and gnawing begins.Nuts and BoltsScreen savers. Two thousand, four hundred of them in all, which must lock up and blank out the EPHI on any device at Maimonides Medical Center left unattended for three minutes. "I can't go to 2,400 workstations to do things like set up screen savers," says Mark Moroses, security officer and senior director of technical services. "That's trench warfare."