HIPAA (Health Insurance Portability and Accountability Act) is a very necessary evil. I want my Personal Health Information (PHI) protected from casual scrutiny, and accessible only to those I want and need to give it to. Don’t you?
After all, knowing I just had the flu? Ok, I really don’t care about that. But if I had an STD, or a degenerative disease, I would probably be a bit more concerned with who knew those pieces of information about me.
So the HIPAA rules were put in place to make sure of exactly that. Your PHI should be encrypted, secured, accessed only by authorized individuals and groups, and there should be an audit trail for those accesses. This makes sense! (Wow, amazing! Government regulations that make sense? What universe did I fall into?)
No, seriously, this is a good thing. The only problem is that to comply with such regulations, and to maintain that compliance, to test that compliance, and to write the policies, procedures, rules, and regulations to build and enforce that compliance, costs money. Project managers, security engineers and analysts, better systems to handle the EMR (Electronic Medical Record) data in an encrypted, secure format. All these things cost.
So when the HIPAA documentation suggest it costs less than $60 or $565 (depending on how you do the math) per organization to handle the compliance? I’m not really sure about that. To be honest, I have to call shenanigans. Four hours of a good Project Manager’s time is more than the $565 they claim for the entire project! Long story short, they claim that
Budgeting for security is always tough. But mis-representing the time, effort, and cost needed to plan, implement, and maintain HIPAA compliant systems, doesn’t make HHS look good, or inspire confidence in their numbers.
I think they need to redo the math!!
What kinds of costs are you seeing for your HIPAA compliance projects? And what do you think of their estimate?
Love to see your answers in the comments!
Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the “InfoSec Megaphone”, anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.
