A huge applause from the NIST-OCR-HIPAA 2015 conference

September 09, 2015, Andrew Hicks, Managing Principal, Coalfire

It looked like the 8th annual conference may have garnered record-breaking attendance as I noticed hotel staff rushing to add skirted tables and chairs to the back of the room to accommodate a standing-room-only crowd.  I guess that was to be expected given the star-studded line-up of presenters including HHS OCR Director Jocelyn Samuels, her brand new Deputy Director, Deven McGraw, and the OCR enforcer, Iliana Peters.  We also heard from government officials at the FTC, the ONC, NIST’s NCCoE, and the HHS Preparedness and Response office.  The audience responded to each session with a line of people trailing from the microphone set up for Q&A – and with excellent questions, too!

One gentleman posed a question (or actually, a problem) to Director Samuels about how small healthcare organizations simply aren’t securing data and getting compliant.  With her usual positive and ‘hopeful’ words (a word she said that the government is famous for using) she pointed out the many tools and endless information available on the OCR’s web site. She added that they are planning to redesign and launch their new web site ‘soon’ – apparently another commonly-used term by the government.  Immediately the gentleman stopped her and said that the problem is not that these healthcare organizations are not aware of what they need to do and what’s out there to help them get it done…it’s simply that they aren’t doing it.  He added that announcements of new fines and penalties resulting from OCR investigations are not helping.  The room broke out into applause for the gentleman’s response as we all shared the pain of not having a mandate in the industry to force these organizations to comply.

This brings me to a panel discussion about best practices for safeguarding the confidentiality, integrity and availability of ePHI where the audience could pose all sorts of questions about executing a risk analysis, incident response planning, BYOD issues, access controls, encryption, and the security of medical devices and the cloud – the same old issues we talk about over and over.  But one question for the panel was about the recent HITRUST CSF certification mandate that several large covered entities have placed on more than 7,500 business associates, to be completed in the coming months.  What did the panel think of this gutsy move?  They all thought it was a good idea then they moved on to the next question.

But it’s more than a good idea – whether the industry is going to mandate compliance with the HITRUST Common Security Framework or another risk management framework, organizations just need to pick one and get busy with a program to secure data.  To be clear, a compliance framework outlines the regulatory compliance standards relevant to the organization and the business processes and internal controls the organization has in place to adhere to these standards.  So sure the OCR random audits will begin ‘soon’ (probably 2016) and sure, both covered entities and business associates could be caught unprepared…so why wait for a mandate and instead just do the right thing…it’s just good business sense.  I’m ‘hopeful’ that healthcare organizations will get the message and get busy!

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics