February 21, 2005

You'd Think They'd Have Better Things to Do: The FBI and HIPAA

Brett Mendel, Senior Analyst at Byte and Switch Insider is reporting that the FBI is apparently investigating security breaches regarding data security and HIPAA:

"It is happening with HIPAA," says Mark Diamond, president and CEO of data storage consulting firm Contoural Inc. "If you do not maintain security of data, you will be investigated by the FBI."

Say what?

You bet. While the U.S. Department of Health and Human Services (HHS) monitors compliance with the Health Insurance Portability and Accountability Act (HIPAA), the law does indeed expand the FBI's reach into the realm of healthcare violations.

Security of data is the issue here:

Securing data that resides in enterprise storage, or data "at rest," has become a hot topic for more than just the healthcare industry (see Wedding of the Year). Indeed, SAN security vendors such as Decru Inc., NeoScale Systems Inc., and Vormetric Inc. have been banging the drum of storage security for some time. But the legal implications of those concerns are only now hitting home.

"We do hear of more security audits by the government," Kevin Brown, VP of marketing at Decru, recently told Byte and Switch.

The problem for "covered entities" is that the regulations don't specify how to protect the data:

"The law is descriptive more than prescriptive," says Dick Benton, practice manager for storage governance at GlassHouse Technologies Inc. "They leave it up to IT departments to determine what 'protecting the security and confidentiality of information' means."

And according to Fiona Jones, Compliance Columnist, the cost of HIPAA has exceeded 17 billion dollars.