In February 2002, California enacted SB-1386, a law requiring companies to disclose security breaches affecting the privacy of their customers. Although other, distantly similar conditions existed in EU privacy laws and with GLBA in the US reaching back to the late 90’s, few predicted that SB-1386 would become the catalyst for the massive wave of breach notification laws we see today.
The most noteworthy occurred within days of President Obama entering into office when he signed the American Recovery and Reinvestment Act (ARRA) of 2009. Tucked beneath the mountain of legalese was Title XIII Health Information Technology, or more commonly known as the Health Information Technology for Economic and Clinical Health Act (HITECH), a relatively small section that has changed everything.
In short, HITECH is a breach notification law that has now been integrated into HIPAA. Among its many proclamations, it forces the healthcare industry to reissue Business Associate Agreement’s (BAA) with all their business partners and providers to specifically address breaches. By doing so, any organization coming in contact with protected healthcare information is responsible, and liable. It ultimately gives teeth to HIPAA.
Now, the healthcare industry, which had just reached a point where HIPAA was fully integrated and manageable, is faced with a new challenge. It is no longer enough to protect data, now the industry must have assurance, solid event detection capabilities, well-defined incident response, and, of course, notification processes. Moreover, healthcare vendors, partners, and providers are now faced with meetings these expectations or risk losing their healthcare customers.
Breach notification has created an interesting dynamic and represents a shift in regulatory strategy. The shift in government is the redirection from protective and preventative measures to response measures. Essentially, they are setting the penalties and fines in the event of a breach as opposed to the specific controls to avoid such catastrophes. The government is simply saying, “Your controls are not as effective as we’d hoped or intended. Therefore, we are focusing on the fall out with hopes that will encourage better controls.”
This change in strategy is resonating throughout the healthcare industry in a fascinating way. Prior to HITECH organizations were provided security control expectations to achieve compliance. Unfortunately, compliance does not always equal security, but based on how the industry was regulated, compliance was of superior importance, and understandably so.
However, now armed with clarity on the fiscal impacts of a breach, organizations are more interested in meaningful security controls as opposed to simply what is expected of a compliance audit.
In my next post, I’ll discuss the best practices that healthcare organizations are putting in place to address the unique environment that they face.
By: Jim Tiller, Global Security Practice Head, BT Global Services