A huge applause from the NIST-OCR-HIPAA 2015 conference

Andrew Hicks, Managing Principal, Coalfire

It looked like the 8th annual conference may have garnered record-breaking attendance as I noticed hotel staff rushing to add skirted tables and chairs to the back of the room to accommodate a standing-room-only crowd.  I guess that was to be expected given the star-studded line-up of presenters including HHS OCR Director Jocelyn Samuels, her brand new Deputy Director, Deven McGraw, and the OCR enforcer, Iliana Peters.  We also heard from government officials at the FTC, the ONC, NIST’s NCCoE, and the HHS Preparedness and Response office.  The audience responded to each session with a line of people trailing from the microphone set up for Q&A – and with excellent questions, too!

One gentleman posed a question (or actually, a problem) to Director Samuels about how small healthcare organizations simply aren’t securing data and getting compliant.  With her usual positive and ‘hopeful’ words (a word she said that the government is famous for using) she pointed out the many tools and endless information available on the OCR’s web site. She added that they are planning to redesign and launch their new web site ‘soon’ – apparently another commonly-used term by the government.  Immediately the gentleman stopped her and said that the problem is not that these healthcare organizations are not aware of what they need to do and what’s out there to help them get it done…it’s simply that they aren’t doing it.  He added that announcements of new fines and penalties resulting from OCR investigations are not helping.  The room broke out into applause for the gentleman’s response as we all shared the pain of not having a mandate in the industry to force these organizations to comply.

This brings me to a panel discussion about best practices for safeguarding the confidentiality, integrity and availability of ePHI where the audience could pose all sorts of questions about executing a risk analysis, incident response planning, BYOD issues, access controls, encryption, and the security of medical devices and the cloud – the same old issues we talk about over and over.  But one question for the panel was about the recent HITRUST CSF certification mandate that several large covered entities have placed on more than 7,500 business associates, to be completed in the coming months.  What did the panel think of this gutsy move?  They all thought it was a good idea then they moved on to the next question.

But it’s more than a good idea – whether the industry is going to mandate compliance with the HITRUST Common Security Framework or another risk management framework, organizations just need to pick one and get busy with a program to secure data.  To be clear, a compliance framework outlines the regulatory compliance standards relevant to the organization and the business processes and internal controls the organization has in place to adhere to these standards.  So sure the OCR random audits will begin ‘soon’ (probably 2016) and sure, both covered entities and business associates could be caught unprepared…so why wait for a mandate and instead just do the right thing…it’s just good business sense.  I’m ‘hopeful’ that healthcare organizations will get the message and get busy!

Andrew Hicks


Andrew Hicks — Managing Principal, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS