Welcome back to Compliance University! This month, I present six rules for applying compliance common sense to your security purchasing decisions. Make
by Neil Caesar
Friday, August 1, 2003

Welcome back to Compliance University! This month, I present six rules for applying compliance common sense to your security purchasing decisions.

  1. Make purchases with reference to your overall strategy. What is your tolerance for risk? Are you willing to spend whatever it takes to close every possible breach of security? It is important to identify your perspective toward security compliance and the areas where you need particular focus — before you spend money. All of your subsequent spending decisions should be consistent with that perspective and focus.

  2. Focus on the practical risks your security systems face. Firewalls and virus-detection systems are worthless if someone can break into the room where your hardware is maintained. Conversely, you may conclude that physical security is not a top priority. Again, make sure your solutions align with the dangers you identify, and whether those dangers are realistic for your activities.

  3. Accept that neither HIPAA nor common sense requires you to treat each potential problem the same way. All data do not require the same level of protection. The more sensitive or vulnerable the information, the more you should protect the information. The consequences of accidental disclosure of infusion therapy given to an AIDS patient may be more significant than the accidental disclosure of a patient's need for a manual wheelchair.

  4. Make purchasing decisions based upon your staff's needs and abilities. It is easy to focus on state-of-the-art product features. Who wouldn't want the strongest possible encryption system? But it does you no good if your staff isn't capable of using the system, or if it takes too much time to do so. In many cases, a good firewall that a systems administrator can maintain as part of ordinary operations will serve you better than a state-of-the-art firewall that requires high-level maintenance skills.

  5. Don't lose sight of the trees for the forest. Your security purchases are only as good as the overall security profile they support. Modems, wireless access points, routers and firewalls can defeat your security infrastructure. They are the entry points from which inappropriate services can be enabled and ports can be opened. Without controlling the process by which you add users and equipment, you may not be able to secure the network.

    This is no different than the danger that often arises under the anti-fraud rules concerning outside contracts and joint ventures. I frequently observe suppliers who spend a lot of time and money to structure a compliant contractual arrangement with a provider, and then forget to monitor the ongoing operation. The written safeguards don't work if you ignore them. Don't just learn what the products do. Understand how to manage your purchases.

  6. Determine how much is enough. Your compliance initiatives will reach an inevitable point of saturation. The truth is, your network will always be vulnerable on some level. If a hacker has unlimited resources and fervor, he or she will penetrate your system. Develop a method for quantifying risk, and appropriate responses to that risk, consistent with an overall assessment of your operation's strengths and weaknesses. Use the insight that comes from that analysis to allocate your resources.

Equally important, document your decision-making process. Not only will this demonstrate that you took a reasoned approach to HIPAA compliance, but it will enable you to assess the working premises on which you based your decisions so that you can evaluate efficiently and effectively whether new developments warrant a change in your risk allocation.

We don't yet know how HIPAA will be enforced. But it is certain that the ability to demonstrate due diligence in designing your network protections will provide a strong defense in cases of accidental disclosure.

Neil Caesar is president of the Health Law Center (Neil B. Caesar Law Associates, PA), a national health law practice in Greenville, S.C. (www.healthlawcenter.com). He also is a principal with Caesar Cohen Ltd., which offers compliance training, outsourcing and consulting. A frequent author and speaker, Caesar is the author and editor-in-chief of the Home Care Compliance Answer Book. He can be reached via e-mail at ncaesar@healthlawcenter.com or by telephone at 864/676-9075.