Another is mandating integrity controls under the rule’s standard for transmission security. In the era of modems and phone line transmission, data errors could occur. Today’s transmission protocols are reliable; most are sent using some form of encryption.
Although encryption is an “addressable” implementation specification in the current rule, it needs to be a requirement, with exceptions properly managed via compensating controls.
The HIPAA Security Rule Demands More Clarity
Additionally, the rule must address modern-day tools and security issues, such as requiring user account lockout after a predetermined number of failed login attempts. According to the National Institute of Standards and Technology, this is the top security control to prevent hacking.
The HIPAA Security Rule is also missing some key definitions that should be added or clarified. These include:
- Risk analysis: Many interpreted this to mean an assessment of compliance. (Adding to the confusion, NIST uses “risk assessment” interchangeably with risk analysis.) The definition should recommend a frequency for conducting analyses on all applications and systems storing PHI.
- Policies: For most, this word means a document that defines management’s expectations. To IT folks, “policies” can refer to technical settings or controls. Active Directory or enforced workstation settings are policies.
- Incidents: Back in 1998, having your network “pinged” was a reportable incident. Today, we’re constantly pinged. The industry needs realistic benchmarks of when ransomware or phishing are reportable breaches.
- Executive accountability: By approving budgets, executives can determine how much money will be allocated to information security, and they should be held accountable for the results.
SUBSCRIBE: Become an Insider for access to exclusive HealthTech videos, white papers and articles around security.
A Focus on Vigilance Must Be Top of Mind
Compliance, as leaders know, is attained through the implementation of robust procedures and plans. But I’m not aware of any hacker who has been thwarted by a set of compliance documents.
This is why a focus must be placed on technical controls to prevent or detect hacking and malicious code, rather than administrative policies that divert resources from real security.