HIPAA and the Standard of Due Care – How Much Security is Enough?
There’s a natural struggle between those who write rules around compliance to a standard and those who must implement IT systems to ensure compliance with that standard. The former want to create guidelines rather than hard and fast requirements so there’s flexibility in how to achieve compliance. Plus, they want guidelines that allow for advances in technology. The latter want technical specificity – do X and become compliant.
With a compliance standard like PCI DSS, which specifies credit card information security requirements, there’s a great deal of technical specificity about what is required in order to become PCI DSS compliant. In fact, all but a handful of PCI DSS’s 211 sub-requirements call for specific technical actions. But even then, some PCI DSS sub-requirements are subject to interpretation by the various auditing authorities.
Most compliance mandates, especially those imposed by governments, aren’t as cut and dried as PCI DSS and they always include many specific requirements around acceptable compliant behavior in addition to non-specific requirements around technology-oriented compliant safeguards.
The privacy and security of health information in the U.S. is governed by a Federal law called the Health Insurance Portability and Accountability Act (HIPAA). As written, HIPAA is vague in many behavioral and technological areas. The law turned over “rule-writing,” whose aim is to provide more specificity, to the U.S. Department of Health and Human Services (HHS). HHS wrote a key rule – the HIPAA Security Rule – that is relevant to information security professionals.
But alas, even the HIPAA Security Rule is ambiguous!
The HHS rule-writers acknowledged that the same rules cannot be imposed upon small health care entities with simpler networks and limited resources than can be imposed upon very large health care organizations whose systems and processes are global. To address this conundrum, the HIPAA Security Rule introduced the concept of “reasonable and appropriate” implementation of security protections, allowing health care entities to factor in cost, size, complexity, technical infrastructure, and the likelihood and seriousness of potential security risks.
That makes sense, but health care organizations are still left with the problem of rightsizing their security practices to fit HIPAA compliance. It begs the question – How much security is enough?
Enter the standard of due care.
“Due care” means that a health care entity has done everything it could do to reasonably protect the organization from known threats. Due care is a key measure for determining legal duty and therefore legal liability that grew up through the U.S. legal system in the 19th century. Health care entities of all sizes and shapes can protect themselves by exercising due care.
In practice, this means that your organization should do what your peer health care entities do in similar circumstances. For example, if similar health care entities regularly perform third-party audits to check their own security measures and your organization does not do them, your organization could be held liable for not having taken prudent and reasonable actions to prevent misuse. If a security breach occurs as a result of your organization’s inaction and a lawsuit is filed, negligence will be measured partly on how similar health care entities operate.
Cisco is developing the “Compliance Solution for HIPAA” that will provide guidance to several classes of health care entities (e.g. regional hospital system, outpatient surgery center) as they look to become HIPAA compliant. While we won’t be able to guarantee that health care entities in those classes will be HIPAA compliant by following Cisco’s guidance, we plan to show how we were able to achieve HIPAA compliance in our lab. Our auditor will apply the standard of due care to determine whether the infrastructure, when assessed through the lens of the health care entity’s class, is HIPAA compliant. Stay tuned for more information about this important solution from the Cisco Compliance Solutions Group.
P.S. Cisco’s anonymous, 5-minute Regulatory and Industry Compliance Survey is still open! Please take it if you haven’t done so already!
In future blog posts, we will share the results with you.