Contributed by Lee Kim, Esq.


IT security is oftentimes overlooked until it is too late.  An organization may be faced with a data breach situation and, at that time, must deal with containing the risk, reporting the breach, and then determining how to prevent such problems in the future.  An organization would be better served, however, taking a proactive as opposed to a reactive approach.

In fact, the HIPAA Security Rule mandates risk analysis and risk management for an organization’s information systems from the get go.  Covered entities and now business associates (under the HITECH Act) must take these steps.  Risk analysis and risk management should be ongoing for an organization and policies and procedures should be written and implemented to take into account these things.

Internal and external threats may change at frequent intervals.  Insider threats (i.e., one’s workforce) can be sometimes more of a danger to an organization than external threats.  See, e.g., CERT’s Insider Threat Research page.  Insider threats may include theft of information (which may be done surreptitiously, such as by way of digital steganography) or comprising computer systems.  However, external threats are also on the rise and hacking techniques are becoming more sophisticated.  For example, a seemingly normal looking e-mail may actually be an attempt to "phish" for information.  Clicking on a link in your e-mail inbox or on the web may lead to the installation of a virus or malware (i.e., software which disrupts functionality on your computer system, gathers sensitive information, or gains access to your system) on your computer system.

Other considerations include how your organization is exchanging information with the outside world.  Is e-mail and other data encrypted?  And, how is the outside party handling your sensitive information?  What are their privacy and security policies?  If you outsource to the "cloud", then what is the cloud computing provider’s policies and their data center’s policies?

Finally, what is your organization doing with its computer systems and components at the end of their life cycle?  Is the information truly being destroyed?  Is there verification that the information has been destroyed?  (Not all data wipe procedures are robust; and some may not be implemented properly by the manufacturer.)

For these reasons (and more – as there are many other considerations not addressed here in this brief posting), there is a need for oversight of activity within an organization as well as monitoring attempts to breach the security of an organization’s computer system from the outside.  Compliance with the HIPAA Security Rule requires a specific examination and understanding of your own IT infrastructure and the flow of information within and outside your organization.