HCB News: Who within the hospital is handling SRC?

AS: Depending on the size of the hospital, SRC could be handled by multiple departments, ranging from the IT group, the security group and the compliance group. This complicates matters as traditionally there are different application silos as I mentioned earlier that are adopted by these different departments.


HCB News: What solutions exist for handling these SRC challenges?

AS: There are various fragmented applications that address parts of the overall HIPAA SRC needs. There are GRC applications that are able to handle HIPAA controls, administration and policy requirements. There is a separate category of security scanning application that is able to assess security vulnerabilities and there are separate tools for doing risk assessments. HIPAA compliance requires all of these aspects to be met. Hospitals need to comply with HIPAA controls, they need to ensure all their PHI critical assets are security scanned for vulnerabilities, and risk analysis allows them to focus on the highest risk assets to minimize breaches and exposure. Aegify was designed to provide a single stop solution to address ALL aspects of HIPAA, from assessments to scanning, to remediation followed by continuous monitoring of their SRC posture to ensure that hospitals are able to stay on top of any changing conditions.

HCB News: What federal mandates and guidelines are affecting hospitals today?

AS: HIPAA is the federal mandate from HHS (Health and Human Services) and the enforcement agency is the OCR (Office of Civil Rights). Meaningful Use is a requirement of the EHR incentive program from the government.

HCB News: Can you expand on Meaningful Use?

AS: Meaningful Use attestation requires performing security risk analysis of the entire hospital infrastructure before the Meaningful Use grant dollars (about $ 28 Billion) can be received by hospitals. One of the key requirements for achieving Meaningful Use is to perform security risk analysis which can take approximately 70% of the total time required for achieving the attestation. This is essentially an SRC problem that needs to be addressed by the organization to ensure that all critical assets in the organization, whether they are related to people, processes or IT assets, are assessed for risk exposure so that the hospital can address the highest risk issues to minimize liability or the chances of a data breach.

HCB News: Have hospitals that have taken a proactive approach seen a reduction in security risk and thus an improvement in compliance?

AS: Yes, the awareness is definitely growing. If we analyze all the breaches that have happened over the last few years, about 98% of the breaches were avoidable if the organizations had implemented simple controls to protect themselves. So, the payoffs are very quick and direct. This will not only protect them from breaches and loss of data which can be devastating, but also protects them from huge government fines and patient lawsuits, not to mention the reparation costs of a breach, which averages approximately $ 5.6 M.

Back to HCB News

More Voices