Q. My understanding is that HIPAA doesn’t mandate use of a specific security standard. Are we required to keep documentation explaining why we chose a particular security standard? I’ve also been told that we are required to encrypt data according to National Institute of Standards and Technology standards. Is this spelled out in the regulations?
More than half (56%) of the respondents to Ponemon Institute’s Fifth Annual Data Breach Preparedness Study reported experiencing an organizationwide breach. Of these respondents, 51% reported that their organization’s data response plan is not very effective.
Core security and privacy training content often falls short of good practice. Sometimes, the information security officer and privacy officer do not have the resources to create robust content. Furthermore, organizations often limit training time to avoid any impact on productivity. However, providing incomplete information is short-sighted. An inadequately trained workforce is more likely to directly or indirectly cause regulatory violations and breaches.
Completing a risk analysis can be a tall order for most organizations. A significant amount of work is required before the risk analysis can even be started—and more work must be done afterward to address the vulnerabilities identified by the risk analysis.
Healthcare organizations are facing challenging times. Shifting reimbursement models and the uncertainty surrounding federal programs may cause organizations to tighten their spending. Every department—from clinical to security—can feel the pinch as leadership prepares to weather the bumpy road ahead.
