A CISO Describes Major Job TransitionShifting from a Healthcare Provider to a Business Associate
"Many covered entities take the word of business associates when they say they comply with HIPAA - they barely probe, if at all. At Partners, we were trying to do something different. ... We were really trying to put some teeth to our third-party security risk management," says Aske, who left Partners earlier this month to become CISO of Nuance Communications, a provider of software and transcription services.
As other healthcare providers also become more demanding for proof of their business associates' HIPAA compliance, the security and privacy bar is being raised for those vendors.
"So, now I'm on the other side of the coin, and what that means for me is that I have to be prepared to respond to increasingly sophisticated covered entities," he says in an interview with Information Security Media Group.
"They will not take Nuance's simple word or attestation of conformance with the various regulations and obligations. Nuance will have to demonstrate that. I'll be part of the group defining how they demonstrate that conformance."
Aske describes his role change this way: "I'm going from a position where I was asking the questions, to one where I'll be answering them."
Business Associates' Responsibilities
Under the HIPAA Omnibus Rule that went into effect last year, business associates are now directly liable for HIPAA compliance. Like covered entities, those vendors face potential enforcement penalties from the Department of Health and Human Services' Office for Civil Rights, including fines ranging up to $1.5 million per HIPAA violation, such as breaches and other non-compliance issues.
Aske notes that many of the security challenges faced by BAs and covered entities are similar. That includes, for example, staff members who want to use consumer technologies for their work. "They want to use things like Dropbox and other technologies that don't have enterprise-grade security," he says.
In the interview, Aske also discusses:
- The biggest security and privacy challenges and threats facing the healthcare sector in 2014;
- Suggestions for steps covered entities can take to ensure their business associates are properly addressing privacy and security issues;
- The key privacy and security lessons he learned as CISO of a covered entity.
Before joining Nuance Communications in January as the software vendor's CISO, Aske was CISO and chief privacy officer of Partners HealthCare, an integrated delivery system in Boston. Partners owns Massachusetts General Hospital and Brigham and Women's Hospital, several other community and specialty hospitals and numerous other units. Before joining Partners, Aske, an attorney, was the CISO at UMass Memorial Hospital. He also formerly served as CISO for Massachusetts's Executive Office of Health and Human Services, where he was responsible for coordinating information security across the 16 state agencies. Aske also previously was the information security officer for Massachusetts' department of public health.
HealthcareInfoSecurity named Aske to its list of top Influencers for 2014, which recognizes leaders who are playing a critical role in shaping the way healthcare organizations approach information security and privacy.