On Feb. 19, Michael H. “Mac” McMillan, co-founder and CEO of the Austin, Tex.-based consulting firm CynergisTek, and chair of the Privacy & Security Policy Task Force of the Healthcare Information & Management Systems Society (HIMSS), presented an important update on federal healthcare data security mandates, as part of a webinar sponsored by the Toronto-based Asigra. He brings over 30 years of combined intelligence, security countermeasures and consulting experience to his position, in both government and private sector positions. He has worked in the healthcare industry since his retirement from the federal government in 2000, and has written widely about data and information security topics for a variety of audiences in healthcare.
Just prior to his presenting important information and insights about the final Omnibus Rule under the American Recovery and Reinvestment Act of 2009 (ARRA), around healthcare data and information security, Mac McMillan spoke with HCI Editor-in-Chief Mark Hagland about the crucial issues facing the healthcare industry at this time. Below are excerpts from that interview.
Please share some basic details about the recently published final Omnibus Rule, and how that revision will affect providers going forward.
The Omnibus Rule came out of HHS on Jan. 25, and one of the things it changed under HIPAA [the Health Insurance Portability and Accountability Act of 1996] was the final rule on breach notification, eliminating the harm provision, and replacing it with a new formula, which presumes a breach unless you can prove otherwise. So now you have to start from the position that I have a breach until I prove otherwise, for any incident where a breach might have taken place.
What will the penalties be for breaches under the final Omnibus Rule?
Penalties range from informal penalties such as a compliance action plan or resolution agreement all the way to fines and civil or criminal prosecution.
Are only hospitals and medical groups covered, or all providers?
It applies to all covered entities and business associates, anyone who handles PHI [protected health information].
What is the level of preparedness for this in the industry?
It’s not high. And I just received the results from OCR [the federal Office for Civil Rights] from the 115 audits that they performed last year, which I’m currently analyzing.
Where are the three or four biggest gaps where people are falling down?
One is knowing exactly where their data is; two, having conducted an accurate or thorough risk assessment with respect to where their risks are in the environment. Three is level of protection for things like encryption or DLP. And the fourth is having a good handle on the vendors that they work with, particularly as many hospitals move data out into the cloud.
Obviously, the first key element is having a good understanding of where your risks are. And that entails knowing where your data is created, where it’s stored, where it’s going in terms of where it’s being sent, etc., and understanding the various technical controls and processes around each of those operational uses of your information, to be able to identify where there is potential for exploitation or breach, and then addressing those things.
So probably the first thing I say to people is that the first thing you need to do is to conduct a thorough risk assessment to identify risks that need to be addressed. The second thing is really, truly understanding the resource commitment and having a plan for creating a secure environment; and most folks don’t do that well yet. They don’t think of security as a business program, they think of it as a regulatory requirement. Instead of something I need to literally plan for strategically, they think of it as something to worry about if I’m audited.
The third thing is having good accountability and awareness of your environment; security is built around preparedness, detection, and reaction, right? And we’re talking about the detection and reaction elements. Do we have the knowledge and awareness to be able to detect to things that could lead to a breach and aren’t consistent with our policies and behavior? And do we have the ability to react to those things and stop them?
So when you’re talking about managing breaches, you’re really talking about knowing where your risks are, and having the proper controls in place to prevent having those things happen, and having the ability to detect and react. It’s really those three things, and most organizations don’t do any of those three well.
Most organizations still don’t have a CISO [chief information security officer] yet, correct?
Yes, you’re right, most organizations haven’t planned for this and haven’t yet put the resources into it.
So staffing and resourcing are important, right?