Securosis Blog | What No One is Saying About that Big HIPAA Fine

Securosis Blog | What No One is Saying About that Big HIPAA Fine.

Rich Mogull at Securosis is claiming that security vendors should not use the HHS HIPAA fine to Cignet Health for $4.3 million as a motivator to improve information security.

While I agree that this HHS fine and the $1 million Mass General fine had nothing to do with IT security, it seems to me that HHS is signaling that it is serious about enforcing HIPAA security and privacy rules. After all, HIPAA was passed in 1996 and these are the first ever fines issued.

You certainly can take Rich’s approach that the Cignet fine is just about “big boxes of paper and a bad attitude.” But I would not want to be the organization that suffers an information security breach due to lax controls.

For example, if you had decided to use the SANS 20 Critical Security Controls as your prescriptive information security guide and had implemented all of the Quick Wins and Visibility/Attribution sub-controls, some/most of the Config/Hygiene sub-controls, with a plan for the rest and the appropriate Advanced sub-controls, and still suffered a breach, you surely could not be tagged with “willful negligence.”

We will see what if any fine HHS levies against the New York City hospital system which admitted to a breach affecting 1.7 million hospital staff, patients, vendors, and contractors.


TrueDLP » Is It Time to Take HIPAA Seriously?

TrueDLP » Is It Time to Take HIPAA Seriously?.

Last week Cignet Health was fined $4.3 million by the OCR for violating privacy provisions in HIPAA.  The fine was based on a failure of that organization to comply with requests from 41 patients to access their records and resulting failure to cooperate with the HHS Office for Civil Rights investigation.  In addition, Massachusetts General Hospital was fined $1 million for potential HIPAA violations.

These are the first two fines issued by HHS and they were large due to HHS’s classifying these incidents as “willful neglect.”

I would say the answer is yes, it’s time to take HIPAA seriously.

Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch

Enterprise security strategy – Is More Cyber-Security Regulation the Answer? – eWeek Security Watch.

A survey of critical infrastructure companies by Enterprise Strategy Group reported that the companies with the most industry regulations to address tended to have better security practices, something that did not strike me as all that surprising. What did strike me as somewhat surprising, though, is some of the things people agreed the government should do in regards to cyber-security.

According to the survey (PDF) – which fielded answers from a total of 285 security pros in industries such as food and agriculture, defense and information technology – 39 percent said the government should “enact more stringent cyber-security legislation along the lines of PCI.” Thirty-two percent believed the government should create legislation with higher data breach fines.

It seems to me that the federal government should enact some cyber-security legislation, but not like PCI. Government bureaucracy is too slow moving to be effective. In fact, IMHO, the PCI DSS bureaucracy is too slow moving. PCI DSS 2.0 could have done much more but chose to simply focus on clarifications. I think the federal government should (1) force more and more complete breach disclosure and (2) possibly increase penalties for breaches. The latter was a tactic the government took to with HITECH to strengthen HIPAA.

In the mean time, the states have been moving aggressively, e.g. Massachusetts 201 CMR 17.