Businesses and Organizations in the U.S. Healthcare Industry are arguably subject to the most stringent data privacy and security laws on the planet. If you’re a Healthcare IT leader involved in compliance efforts – we certainly sympathize with you. Recently, Aaron McIntosh and I held a webinar on HIPAA Compliance for 2017 and Beyond in partnership with HiMSS – a 60,000+ member not-for-profit organization dedicated to improving healthcare through the best use of IT1. Our aim was to improve Healthcare IT leaders’ understanding of HIPAA in the context of the trends, breaches and common compliance issues we’re seeing across the industry so far in 2017. But it turns out that we gained far more insight than we shared with our audience of more than 140+ IT and Compliance leaders.
Here’s what we learned:
IT Leaders have Mixed Feelings about Meeting HIPAA Requirements
Meeting all requirements under HIPAA is no easy task, and it’s difficult knowing where to begin. It came as no surprise then that the majority of respondents said they are either ‘Not Confident’ (10%) or only ‘Somewhat Confident’ (40%) that their organization is meeting all HIPAA requirements. We also received multiple questions about the difference between ‘required’ and ‘addressable’ implementation specifications listed under the Security Rule, including encryption. It’s clear that IT leaders are uncertain about how to properly implement security measures to a “reasonable and appropriate” level. That’s why we suggest a different approach – a shift from compliance checkboxes to risk-based strategy.
There is a Noticeable Shift from Checkbox Compliance to Risk-Based Strategy
It’s difficult to have confidence in meeting compliance standards when recent events, fines and investigations seem to reveal new areas of vulnerability. And It’s obvious that simply “checking the box” to address compliance isn’t a sufficient strategy. That’s why IT leaders are now thinking more in terms of ‘risk management’ rather than ‘compliance requirements’. During the webinar, many asked about risk-management frameworks like the HITRUST CSF, ISO 27001 and the NIST Cybersecurity Framework. A move from checkboxes to frameworks indicates a shift to a more proactive risk-based strategy, where ‘addressable’ measures like encryption are necessary to risk management and prevention.
IT Leaders are Uncertain about Shared Responsibility in the Cloud
What if a service is HIPAA or ISO-compliant? Doesn’t the cloud service provider have security? Our third-parties are complaint, would this suffice? When we discussed Business Associate Agreements – mandated by HIPAA – specifically with Cloud Service Providers (or CSPs), these questions and more flooded our inbox. It seems Cloud is gaining traction in healthcare, but uncertainty remains about managing risk and compliance in this new shared environment. So let’s be clear, if you’re a Covered Entity, it’s your responsibility. HHS Guidance on Cloud Computing states that if the data or keys used to decrypt that data in the Cloud are compromised, you’re responsible. And we know it’s possible, given the recent breach of AWS keys with OneLogin.
Native Encryption Options like BitLocker and FileVault 2 are Increasingly Popular
Lack of safeguards, particularly encryption, is one of the most common compliance pitfalls. We know that encryption is critical to meeting HIPAA compliance and managing risk to protected health information (PHI). But we also know that healthcare budgets leave little room for flexibility. For this reason, pre-installed or “native” encryption offerings like BitLocker and FileVault 2 are particularly appealing. In fact, when asked about encryption, most respondents said they’re using native encryption (31%), compared to third-party encryption (27%), while others believe it’s not necessary (7%) or were unsure (35%). However, numerous respondents using native encryption cited issues with complexity and performance, more so than with third-party encryption solutions like WinMagic’s SecureDoc.
Implementing Encryption Can Be a Challenge in Healthcare IT
We know that encryption isn’t always easy, and that’s exactly why we aim to understand the biggest challenges with implementing or using encryption for data-at-rest. Not surprisingly, it was about an even split across Cost (24%), Complexity (26%), Compatibility (28%), and Performance (22%). Numerous respondents during the live webinar also asked us to allow multiple answers to the question. At a very basic level, we know you’re looking for protection, so we offer high performance encryption consistent with regulatory requirements. But really, we aim to do so much more than that.
Watch the on-demand webinar here:
Or if you’re ready to get started, contact WinMagic today! We can help you reduce the cost and complexity of encryption, with the most widely compatible, high-performance encryption in the market!http://www.himss.org/about-himss