Home > Security

Computerworld - Trouble T1cket

• At issue: Federal regulators require notification of all security breaches.
• Action plan: Change procedures and contracts to make sure the agency is in compliance.

Security professionals dont work in a vacuum. Nor do we simply track down and implement security best practices. Sometimes, we are dictated to. And when you work in a state agency that has to follow the mandates of the federal Centers for Medicare & Medicaid Services (CMS), you need to pay close attention and jump when youre told to jump. The CMS is the final authority for my agency in all matters pertaining to the security of confidential health information. When it tells us we should do something, it means we must do it.

You must, because if you dont, your state could not only lose federal funding for Medicaid programs, but also be saddled with severe penalties. But I have no qualms about compliance matters. I like to be ahead of the game, not lagging behind and living in fear.

A year ago, the CMS sent out a letter to all state Medicaid directors reminding them that they have an obligation to abide by all Federal and State laws regarding the security and privacy of medical data and records, and of all protected health information.

That isnt a reminder I needed, but the letter also drew attention to federal legislation stating that states should perform an internal or external risk assessment.

The letter arrived at a good point in our fiscal cycle. We were able to get money budgeted so we could contract with an outside assessment firm. Since then, we have also performed a security self-assessment, following the guidelines from NIST Special Publication 800-26, and the legislative counsels auditors and our agencys outside attorneys have also completed audits of us.

We sailed through them all without problems, but I should know better than to expect to relax. And sure enough, in August, we received a clarification letter from the CMS. Clarification was certainly needed, since I had completely missed the import of a statement that all security breaches should be immediately reported to the director of the Division of State Systems at the CMS.

Our practice is to report security breaches to our states Office of Information Security, and I had assumed that we could continue to do so, provided that the state OIS reported the breach to the CMS. Not so. The buck stops here.

Silver Lining
This certainly wasnt a case of overlooking bad news I didnt want to deal with. The truth is that Id rather not report breaches to the OIS, since that office has been largely ineffective. Its budget is inadequate, its poorly staffed, and it has been through three chief information security officers in the past three years. Id just as soon report directly to the CMS, and maybe cc: the OIS.