The recent identify thefts at large retail stores, such as Target and Neiman-Marcus, have exposed organizations to their vulnerability to lawsuits asserting that they weren't following best practices or even industry standards regarding information security. Specifically, the federal government’s NIST standards have made cybersecurity a paramount concern. That led to key infrastructure changes in industries such as banking and energy.
Now, the lawsuits against Target and others assert that the best practice of cybersecurity, which has been public for years, should have been followed by companies in all fields, of all sizes.
Many practices and healthcare organizations believe they have done enough by completing the risk assessment required in the Meaningful Use program.
But, it is no longer possible to "hide" behind a MU risk assessment, which is short of a complete HIPAA risk assessment. It is not even possible to claim HIPAA compliance without a full, complete and accurate assessment of the organization’s HIPAA program, security controls, privacy controls, and IT assets.
The bar has been raised. Compliance with the NIST Cybersecurity framework, which is fully implemented and supported by HIPAA, is not only a best practice. It’s now the industry norm. Practices should find a HIPAA risk assessment tool that is based on the NIST standard and use it to complete their annual risk assessment.