While at the HIMSS Privacy & Security Forum in Boston, Mac McMillan recorded a podcast with Marianne McGee of Information Security Group. In this podcast, Mac and Marianne discuss recent HIPAA enforcement by OCR and the future of enforcement for non-compliance. They also discuss what trends the industry can anticipate for 2016. They conclude the podcast with some of the biggest challenges that keep the industry up at night.
Do you think these recent HIPAA enforcement examples by OCR are going to be a new trend?
Mac points out that OCR has gone through leadership and staff changes and now they are finally in a place where they can move forward with issuing settlements. We’ll continue to see enforcement for non-compliance and have already seen that these recent examples have common themes with other settlements, such as lack of risk analysis and encryption.
What enforcement actions would you like to see?
Mac says it’ll be interesting to see how they handle Business Associates in 2016. Despite it being three years since they’ve been directly responsible for protecting personal health information, we still have not seen much of a response from healthcare vendors. A lot of vendors have immature security programs and policies in place, and in general aren’t where they need to be. Mac says, “I’d like to see some of
What trends do you predict for privacy and data security across the industry that we need to pay attention to?
Mac thinks we’ll see more hacking and external threats than we did in 2015 and points out that hackers have figured out that they can monetize healthcare data. Additionally, Mac adds that medical devices and mobile devices will be another data security challenge in 2016, and it’s now time to improve how they are developed, implemented and managed. He says that it is time to rethink those strategies.
What is keeping the security team up at night?
Mac says that we are not where we need to be to protect sensitive data from hackers and we lack good detection capabilities. This continues to be a difficult issue to combat, and as an industry we need to get better about it. There are so many IT projects and activity that it often makes it difficult for IT to keep up with managing the network. Losing that foundation makes everything else much more difficult. Last, insider activity is a challenge that keeps the industry up at night and we are not doing a great job of monitoring or managing what are users are doing. We need to better understand who needs access and to what extent, and limit access accordingly.
Click here to listen to the podcast.