An Honest Discussion About Security, Compliance, and Responsibilities
Mike Messick
President, Deep Forest Security

While exhibiting at a medical practice trade conference recently, I asked dozens of attendees “Who takes care of security within your practice?” Almost without exception the answer was “Oh, our IT handles it for us.”

While outsourcing security to IT makes sense from a business perspective, our experience has shown that without exception, Covered Entities (CE) that rely on IT to fulfill their security requirements fall far short of the intended goal. The fundamental issue with this approach is that the proverbial tail ends up wagging the dog, and when a CE is audited by the Office of Civil Rights (OCR) because of a data breach or random audit selection, significant fines and reputational damage are the end result. Here’s why:

You get what you pay for. IT is a cost center that enables business. As such, IT services are offered at the lowest price possible with the level of support demanded by the organization. Outside of contractual or departmental obligations, the responsibility placed upon IT to ensure business operations automatically defines their role as operationally focused, not security focused.

Security has multiple meanings. If you ask an IT manager or provider what security related issues they’re responsible for, the answer will likely include firewalls, antivirus, backups, and spam filtering. While these are necessary and critical security components, an overall security management plan that includes executive/owner direction, risk analysis & mitigation, policy development, vulnerability management and other components of a holistic approach to risk-based security will not be mentioned.

Security must start at the top. Security is so much more than firewalls, antivirus, and other technical controls. It’s a way of thinking, that must be embraced by everyone. An effective security plan must be owned, promoted, and enforced by upper management. It starts with owners making a conscious decision to protect patient data and work towards HIPAA Security Rule compliance. Security is driven downwards from there:

Without direction, participation, and support from executive management, IT cannot provide a risk-based security management program necessary to adequately protect patient data and satisfy HIPAA Security Rule requirements.

A better question to ask therefore, might be “Does your organization own its security?” If the answer is not “Yes,” then there may be underlying issues that need to be evaluated; in the eyes of OCR, the Covered Entity is ultimately responsible for all patient data contained therein.