DOTmed HCB News sat down with Anupam Sahai, co-founder and CEO of Aegify, a provider of a cloud-based, software-as-a-service (SaaS) solution for IT security and compliance management, vulnerability analysis and risk management.
Sahai shard with us his thoughts on the current state of security, risk and compliance within the hospital.
HCB News: Tell us about Security, Risk and Compliance Management (SRC) and what it means to hospitals today?
Anupam Sahai: The healthcare industry is in a state of crisis today, with hospitals becoming a major target for cyber attackers. 40% of all breaches in 2014 targeted healthcare businesses and this number is growing aggressively year over year. About 30 million patient records have been exposed in data breaches and reported to Health and Human Services (HHS) since the HITECH Act's interim final breach notification rule became effective in August 2009.
The reason for the increase in attacks is simple. As the healthcare industry moves to electronic medical records it makes them a rich target for stealing Personal Health Information (PHI). In response to the threat, the HIPAA regulation was enacted in Sept 2013. The law requires that every hospital and healthcare business and their business associates (BA) who handle PHI should be HIPAA compliant. To become HIPAA compliant every business needs to implement a comprehensive security, risk and compliance management program to protect and secure PHI.
Every hospital should be performing regular assessments of their security, risk and compliance posture, remediating and plugging any gaps that are found during the assessment process, and continuously monitoring it to ensure that they stay on top of any changes that may affect their posture. There are financial implications if these requirements are not met. Institutions can be fined up to $ 1.5 M per incident, with no upper limit, should a breach occur and/or a hospital is audited and found to be non-compliant.
HCB News: How are hospitals currently handling SRC? What challenges are they facing?
AS: The current approaches adopted by the hospitals vary greatly. Some bring in external consultants to provide a “one-time” fix to their problems. Some have internal staff who use manual processes to handle the SRC requirements. And some just ignore it, hoping and praying that they are not breached and/or audited by the government. The challenges faced by hospitals today are that the existing solutions are fragmented and siloed, with very high costs of deployment, they require a lot of overhead to manage and are very hard to use and thereby are by and large ineffective. There are piecemeal applications that look at HIPAA assessments only, there are separate applications that look at security vulnerabilities that make the life of the CIO or CISO very complicated. Hence the confusion in the hospital surrounding which tools to use and how to address ALL of the requirements for HIPAA compliance.
