and new rules, based on a questionnaire and Web-based videoconference, Carson explains. Education alone helps address one weakness discovered in the government's expanded audit capabilities.
This year the Department of Health and Human Services (HHS) is expected to launch its HIPAA Audit Program to include business associates. The Office of Civil Rights (OCR) will expand beyond the pilot created with partner KPMG, which focused on 115 providers. Early results of the pilot show that providers have limited awareness of compliance as well as outdated policies and procedures, and that they fail to properly implement policies and procedures.
The complexity of today's systems makes it more challenging for healthcare to audit, says Tim Sedlak, senior product manager at Dell Software, which develops compliance tools, in an interview. "It used to be, you could audit your IT department, and everything was on-site," he says. "Now IT has blossomed and gone in every different direction. You have things like SharePoint and mobile devices, let alone the introduction of cloud-based services. That has a lot of people shaking in their boots. I think we're seeing a lot of concern in those areas."
Often Dell works with IT administrators and IT managers on a mandate from their chief compliance or chief security officer, Sedlak said. "People felt very comfortable even two, three years ago that, 'My IT guys know what to do around HIPAA, HITECH.' Now we've got the introduction of cloud services, SharePoint, Dropbox, SkyDrive, and tablets and smartphones," he said. "People realize they could have [personal health information] everywhere. They're concerned they don't know where data's gone. They're concerned they don't have the controls in the places where data's gone."
More awareness often translates into more funding -- for education, resources, and tools, whether internal solutions or external services. The need to manage and control risk will continue to grow in proportion to the data pouring into healthcare organizations' many devices, networks, and applications.
Nobody wants to be the next data breach headline. But ensuring that cyber security defenses are operating effectively and efficiently is a monumental challenge, given the sheer volume of information coming at us. Here's how to streamline your program. Get the Metrics That Work: Practical Cyber Security Risk Measurements report today (registration required).