As the new year has drawn to a close, Leon Rodriguez, Director of the Office of Civil Rights, has been on the speaking circuit. Revealing the office’s focus for 2013 he has spoken at length about how the OCR, and it’s enforcement of HIPAA and HITECH, views security as a holistic approach. John Halamka, Healthcare CIO, describes it as “security program maturity.”
“A mature program uses a framework such as NIST 800 to serve as rubric for stakeholder analysis of risk. Such a framework ensures that stakeholders consider all the elements of risk and not just the ones that are top of mind for experts in the room. Risks can be physical security, mobile devices, human factors including staffing levels that concentrate expertise in too few people, configuration policies, and timeliness of audit log reviews. In the past, many CIOs in healthcare have been given enough security staff to support operations but not enough staff to create the processes, policies, and documentation that reflect a mature, optimized program.
If you take a look at Leon’s slides, you’ll see that the Office of Civil Rights wants to ensure organizations have done a thorough risk analysis. I would recommend doing this yearly. Once the risk analysis is done, stakeholders including Boards and senior management should prioritize risk, develop mitigation action plans, and document their decisions. “
With the renewed focus on Risk Assessments and other preventive measures – as required by Meaningful Use – 2013 looks to be the year HIPAA security matures past data breach response and reaction to proactive data breach prevention.
You can read the whole article “Creating a Mature Security Program”