[ISN] $1.5M Fine Marks A New Era In HITECH Enforcement

[InfoSec News <alerts@xxxxxxxxxxxxxxx>]

http://www.darkreading.com/database-security/167901020/security/news/232700031/1-5m-fine-marks-a-new-era-in-hitech-enforcement.html

By Ericka Chickowski
Dark Reading
Contributing Writer
March 21, 2012

Enforcement actions from the U.S. Department of Health and Human 
Services (HHS) Office for Civil Rights (OCR) just reached a new level of 
reality last week when the department announced a $1.5 million 
settlement with BlueCross BlueShield of Tennessee over a 2010 data 
breach, making the organization the first pay out penalties since the 
Health Information Technology for Economic and Clinical Health Act 
(HITECH) went live in 2009. The question now is whether such tangible 
examples of financial fallout will convince healthcare IT to invest in 
better security measures.

"It's certainly a warning shot for the healthcare industry," says John 
Nicholson, counsel for the global sourcing practice at Washington, 
D.C.-based law firm Pillsbury Winthrop Shaw Pittman LLP. "But is that a 
sufficient amount to act as a deterrent? It's hard to tell at this 
point. It's at the upper end of what organizations can be penalized and 
when you break it down it equals about a buck a record lost. For 
companies that are dealing in millions of records, that penalty can add 
up. But that's just at very large companies. And data breaches are 
becoming sufficiently routine that everyone sort of looks at it and 
goes, 'Eh, it's another one.'"

But Nav Ranajee, director of healthcare vertical for CoreLink Data 
Centers, believes that starting to hit the big organizations in the 
pocketbook and making a spectacle out of the process should have the 
desired effect. Many of these organizations have been deprioritizing 
security because there just hasn't been enough financial incentive to 
push it up the stack on the IT to-do list, he says. The HHS making the 
risk of pecuniary damage a real risk of failing to comply with Health 
Insurance Portability and Accountability Act (HIPAA) security 
requirements changes that financial equation for these organizations, he 
says.

"What I'm seeing now when we talk to our clients, say a hospital or a 
business associate like a software company that services a hospital, is 
that when it comes to HIPAA, the first priority of a CIO has 
historically to allocate funds to get that new EMR in house or that new 
clinical system, because thatâs going to pay off in revenue," he says. 
"But when it comes to making sure HIPAA requirements are up to date, 
that's usually the last line item on the budget because it's really a 
sunk cost. Now they're going to have to look at the risk involved and 
wonder 'Do I risk having a million dollar lawsuit if I don't put the 
right security protocols in place?'"

[...]

______________________________________________________________________________
CISSP and CEH training with Expanding Security is the fastest, easiest way
to grock the relevant data you need now.   A free class invite is in every
PainPill.  Sign up for the free weekly PainPill .  It's that easy.
http://www.expandingsecurity.com/PainPill