Breach Notification , Critical Infrastructure Security , Cybercrime
Why Healthcare Entities Fall Short Managing Security RiskRoger Severino, ex-HHS OCR, and Bob Chaput of Clearwater Share Lessons Learned
Why do so many HIPAA-covered entities and their vendors do such a poor job managing security risk and safeguarding patient's protected health information? Many critical factors come into play, say Roger Severino, former and longest-serving director of the Department of Health and Human Services' Office for Civil Rights, and Bob Chaput, founder and executive chairman of the board of privacy and security consultancy Clearwater.
"The biggest problem was the human one, and it really came down to bureaucratic inertia. So many covered entities just didn't prioritize health information privacy as part of their culture," says Severino about the time he spent leading the enforcement of the HIPAA security, privacy and breach notification rules as director of OCR during all four years of the Trump administration.
"It starts from the top down to the bottom. If you don't have it as part of the ethos, if you don't see it as helping serve your patients and your clients, then you're not going to take it as seriously as you should," he says in an interview with Information Security Media Group.
During his tenure at HHS OCR, Severino says, "we saw so many big breaches and violations that could have been prevented."
When it comes to security risk analysis and risk management, many of the struggles covered entities and their business associates have are "head shakers," says Chaput in the same ISMG interview.
"Strategically, the understanding of one's unique risk is undervalued and underappreciated," he says. "It's a bit of a 'shoot, ready, aim' phenomenon … and that usually happens when organizations adopt a security controls checklist approach rather than a risk-based approach."
In the interview, Severino and Chaput also discuss:
- Avoiding top mistakes involving security risk analysis and risk management;
- Potential malpractice lawsuits involving ransomware attacks on healthcare providers;
- Suggestions for HHS OCR enforcement and regulatory priorities moving forward under the Biden administration.
Severino, an attorney, is a senior fellow at the Ethics and Public Policy Center. Before joining EPPC, he was the director of HHS OCR from 2017 to 2021.
Chaput is the founder and executive chairman of the board of Clearwater, a healthcare compliance and cybersecurity risk management consulting service.