Buried in an interesting article about how to ace your next IT compliance audit are some chilling words about HIPAA compliance complacency. The piece in Dr. Dobb's Portal notes that security compliance experts have a bird's eye view of compliance problems. "We see a lot of misconfigurations," says Sean Kelly, business technology consultant for Consilium1, which performs vulnerability assessments and pen tests. Kelly says many firms think they are complying, but upon closer inspection, they haven't really hit the mark. One healthcare firm Consilium1 worked with, for example, was shredding documents in what it called a "secure" room, but one of the doors was always left unlocked, as well as one of the bins that housed the documents, Kelly says.
But HIPAA may suffer from the most apathy since there's really no proactive auditing performed by Health and Human Services. "Some of these organizations lose their focus on it and aren't following through with it as much," Kelly says in the article. "And some have pooh-poohed it and not done anything," such as smaller doctors' offices and radiology groups, he says. The problem is that no one's policing HIPAA.
For more on HIPAA compliance:
- read this article
We recently noted an article from a healthcare attorney suggesting that HIPAA enforcement had finally sprouted some fangs. Report