My focus for the conference was Privacy and Security. For anyone in this field, there is always a lot to take in at the HIMSS conference. Several sessions were offered that focused on Privacy and Security and there are countless vendors touting “secure this,” “secure that,” and “HIPAA Compliant everything.”
Here are the highlights:
Deven McGraw, Deputy Director of OCR, provided an update on activities related to HIPAA audits and enforcement activities. HIPAA audits are underway and the focus is starting to move from Covered Entities to Business Associates. This is new for Phase II of the audit program and I expect that there will by many Business Associates who are woefully unprepared and surprised to be hearing from the OCR because a) they did not even realize they are BAs or b) they did not understand what they were signing when they signed the BAA or their obligations under HIPAA.
The audits are focused on three areas:
The greatest finding across the industry is that organizations consistently have an incomplete or inaccurate risk analysis. It is disappointing that organizations are still struggling with the step that is the basis of compliance with the HIPAA Security Rule even though compliance has been required for twelve years. Further, many organizations who conduct a risk analysis fail to follow up with a proper risk management plan.
Adam Greene is a well-known Privacy and Security attorney and is a fountain of wisdom on all things HIPAA. Adam’s session this year was engaging and informative, as always. He went into great detail picking apart the Breach Notification requirements, including outlining exceptions where notifications may not be required. Adam spent a notable portion of the session discussing Ransomware and the recent OCR guidance on the topic. Adam’s understanding, based on the OCR guidance, is that anytime ransomware encrypts ePHI, it is considered a breach irrespective of whether the data is exfiltrated and viewed by an individual or not. My reading of the OCR guidance differs slightly in that I believe it allows for an organization to prove that the risk of “compromise” is low based on risk assessment. Either way, there appears to still be confusion on this topic despite the OCR guidance document and it was interesting to hear Adam’s take on it.
While the cloud may have been widely discussed in previous years, people were still talking about it this year as organizations continue to struggle to adopt cloud technology in a secure manner in accordance with the requirements of the HIPAA Privacy and Security Rules. Sessions focused on:
The Internet of Things (IoT) seemed to be this year’s hot topic. Discussions surrounded approaches to securing IoT in healthcare. The general consensus seems to be that existing models and frameworks for information security apply equally to IoT; it is simply a matter of ensuring that standards that have always applied to existing technologies are also applied to IoT devices. That said, we can expect a number of guidance documents and standards coming from various government agencies and industry standard organizations.
This year’s HIMSS conference provided an excellent variety of topics varying from Federal and industry updates to discussions of new technologies and the security considerations involved in adopting these technologies. The overarching theme for organizations is, regardless of what the technology or model is:
If you would like to learn more about any of the topics discussed at HIMSS feel free to send me a message or you can learn more about Online Business Systems’ Risk, Security and Privacy practice here.