What's the No. 1 Security Blunder?Expert Insights on Avoiding Health Data Protection Mistakes
"People have a false level of comfort that as long as I can check the box and meet my compliance standards, then I'm OK," says Keller, a vice president at the consulting firm The Santa Fe Group. "But that's not what the regulators had in mind ... when they developed these rules and regulations," he says in an interview with Information Security Media Group.
"When you look at the security standards set up by HIPAA, it requires a risk analysis to be done just to determine the extent to which the rules apply in terms of implementing the regulations," he points out. "That really forces people to go beyond checking a box to say they've gone through the exercise. That isn't enough. They have to take that extra step to say: 'What am I doing to protect information, data, systems to make sure we're meeting the ultimate standard which is protection of private health information?'"
Many healthcare entities neglect to take their security and privacy programs beyond the floor set by HIPAA due to lack of resources and other constraints, Keller acknowledges.
But data security needs to be a top priority because of the risks that healthcare organizations face, he stresses. "Healthcare organizations have a bit of a double whammy - not only do they have private health information but they also have private financial information as well. That makes them a double target for the criminals and the bad guys."
In the interview, Keller also discusses:
- Weaknesses that many healthcare entities have in their overall privacy and security efforts;
- Tips for how healthcare entities can start improving their privacy and security programs, including taking a risk-based approach and having strong governance and organizational structures in place;
- Why many business associates struggle more with security and privacy than covered entities.
Keller, a senior vice president at The Santa Fe Group, has been developing and leading risk management programs for more than 25 years. At The Santa Fe Group, Keller focuses on risk management, privacy, online fraud and authentication issues. Previously, Keller was a vice president at Wachovia, where he served as the eCommerce Risk Manager. While at Wachovia he developed the business risk self-assessment program for the e-commerce division and managed the vendor risk management program for that division.