HIPAA InsecurityBy Deborah Gage | Posted 2004-04-01 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Medical institutions have a lot of work to do to comply with the Health Insurance Portability and Accountability Act's security provisions by next April.If Chris DeVoney hustles, he can stay one step ahead of the hackers he fears are going to steal patient records. But he doesn't dare rest. He is the computing director at the clinical research center of the University of Washington Medical Center. In the past year, he has patched and installed software firewalls on 50 to 100 disparate medical deviceseverything from computers to printers to FDA-approved devices that require bridging firewalls because no software can be loaded onto them.
Last month, he cleaned up after an attack by the Witty worm, which rewrote hard drives on 80 or so computers. The week before that, a notebook computer was hacked as it tracked data emanating from sensors attached to a subject who was sleeping as part of a research project. The campus had to "cut the hacker out" by turning off Internet access to the notebook so the study could be finished, says DeVoney.
The research center depends on the university's technology infrastructure, and government budget cycles make it hard for the university to buy what it needs when it's needed. Right now, for example, DeVoney has no perimeter firewall. Nevertheless, in April 2005, the Medical Center and thousands of other healthcare organizations will have to comply with regulations to protect the electronic security of patients' recordsrecords that keep track of their physical or mental conditions, their treatments and their healthcare insurance and payments. Violations can incur civil penalties of up to $25,000 per infraction per year, and criminal penalties of up to $250,000 in fines and 10 years in prison. (Very small organizations have an extra year to comply).
The regulations are part of HIPAAthe Health Insurance Portability and Accountability Act passed in 1996and are just the latest in a series of rules the law will generate for years to come. But the cost of complyingranging from $20,000 to $1 million for security alone, according to Jon Bogen, founder of West Chester, Pa.-based HealthCIOis being borne by the organizations themselves.