[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ISN] $1.5M Fine Marks A New Era In HITECH Enforcement



http://www.darkreading.com/database-security/167901020/security/news/232700031/1-5m-fine-marks-a-new-era-in-hitech-enforcement.html

By Ericka Chickowski
Dark Reading
Contributing Writer
March 21, 2012

Enforcement actions from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) just reached a new level of reality last week when the department announced a $1.5 million settlement with BlueCross BlueShield of Tennessee over a 2010 data breach, making the organization the first pay out penalties since the Health Information Technology for Economic and Clinical Health Act (HITECH) went live in 2009. The question now is whether such tangible examples of financial fallout will convince healthcare IT to invest in better security measures.

"It's certainly a warning shot for the healthcare industry," says John Nicholson, counsel for the global sourcing practice at Washington, D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "But is that a sufficient amount to act as a deterrent? It's hard to tell at this point. It's at the upper end of what organizations can be penalized and when you break it down it equals about a buck a record lost. For companies that are dealing in millions of records, that penalty can add up. But that's just at very large companies. And data breaches are becoming sufficiently routine that everyone sort of looks at it and goes, 'Eh, it's another one.'"

But Nav Ranajee, director of healthcare vertical for CoreLink Data Centers, believes that starting to hit the big organizations in the pocketbook and making a spectacle out of the process should have the desired effect. Many of these organizations have been deprioritizing security because there just hasn't been enough financial incentive to push it up the stack on the IT to-do list, he says. The HHS making the risk of pecuniary damage a real risk of failing to comply with Health Insurance Portability and Accountability Act (HIPAA) security requirements changes that financial equation for these organizations, he says.

"What I'm seeing now when we talk to our clients, say a hospital or a business associate like a software company that services a hospital, is that when it comes to HIPAA, the first priority of a CIO has historically to allocate funds to get that new EMR in house or that new clinical system, because thatâs going to pay off in revenue," he says. "But when it comes to making sure HIPAA requirements are up to date, that's usually the last line item on the budget because it's really a sunk cost. Now they're going to have to look at the risk involved and wonder 'Do I risk having a million dollar lawsuit if I don't put the right security protocols in place?'"

[...]

______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill .  It's that easy.
http://www.expandingsecurity.com/PainPill