In Depth
Managing HIPAA's Pain
Halfway between the deadlines for HIPAA's privacy and security rules, health-care CISOs share compliance lessons for the rest of us.
By Sarah D. Scalet
April 01, 2004 — CSO — Three blocks north of Union Station in Washington, D.C., on the seventh floor of an ordinary brick building, a small office of the U.S. National Archives and Records Administration churns out a publication known as the Federal Register. This newspaper of sorts, which runs to hundreds of pages per business day, is the public record of rules, proposed rules, and notices that have been issued by federal agencies and executive orders from the president. In the office's library, there are shelves upon shelves of blue-green books that hold past issues of the Federal Register, a bureaucratic archive stretching back to 1935. And if you look up Volume 68, No. 34, Appendix A to Subpart C of Part 164, you'll find a 169-word security standards matrix that tells you everything you ought to be doing to protect your electronic data.
There are no surprises here, just the elegant obvious. Administrative safeguards. Physical safeguards. Technical safeguards. In all, three dozen specific action items, from data backup to password management to encryption, are pulled together on a one-page chart that summarizes a security rule laid out in the preceding 46 pages. And for all its brevity, this security matrix is an unexpected runaway success, the My Big Fat Greek Wedding of federal documentation, if you will
Two-thirds of an early-screening audience requested that the security matrix make its way into the final version of this security rule. It has provided the structure for countless security audits and gap assessments, for task forces and toolkits.
And it's just as important for what it's missing as for what it contains. You see, despite the fact that what we're talking about here applies only to companies in the health-care industry
"These are simply good practices," says Kate Borten, CISSP, who is president of health-care consultancy The Marblehead Group. "There's nothing specific to health care in the rule. This is textbook security 101."
"The regulation in general is highlighting good security practices that most security professionals agree on anyway," echoes Paul Scheib, CISO of Children's Hospital Boston. "The term EPHI [electronic protected health information] isn't relevant to other industries, but you could substitute 'business-critical information,' because any business is trying to protect its most critical information."
Data Center Directions Virtual Conference
Attend this free, 100% online event exploring tools and techniques for making your data center deliver for today and tomorrow.
Maximizing Site Visitor Trust Using Extended Validation SSL
Now with Extended Validation (EV) SSL available from VeriSign, you can show your customers that they can trust your site. Learn about EV SSL benefits in the free VeriSign white paper.
- The Latest Advancements in SSL Technology
- Maximizing Site Visitor Trust Using Extended Validation SSL
- How to Offer the Strongest SSL Encryption
- Solving Online Credit Fraud Using Device Reputation
- Forrester Reports 321% ROI Through Device-Based Fraud Management
- Enterprise Management Associates: Taking the Botnet Threat Seriously
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
7th Annual Digital ID World
-
September 8 - 10, 2008Hilton AnaheimRegister now »
Anaheim, California
(ISC)2 members can earn up to 20 CPE Credits
Reference priority code ONLINE and save $800 off the full registration price — attend the program for $995
