In pursuit of HIPAA, a new compliance gap arises

Meeting requirements can be exhausting, but the business payoff can make it all worthwhile

Now that we’ve passed our PCI audit, we’re making another big compliance push, this time for HIPAA. We’re not in the health field, but the Health Insurance Portability and Accountability Act includes guidance and requirements related to the safeguarding of health-related data that can be useful for just about any company.

Action plan: Present the executive staff with findings about what will be needed, while emphasizing the potential business benefits.

We were similarly situated when we chose to improve our credit card-handling processes by going through a full Level 1 type of PCI assessment. We fall short of the number of credit card transactions that would make a full Report on Compliance necessary, but we made a business decision to become more attractive to customers by reaching that level of compliance. When it comes to personally identifiable health information (PHI), some customers have said they would like to store it in our application. Up to now, we have advised against that because we are not HIPAA-compliant. But with the realization that our stance could result in some lost opportunities with prospective customers, we’ve decided to look into what it would take to reach HIPAA compliance.

To get started, I hired a third party to assist with a gap analysis. It turned up one area where we have a big gap between where we are and where we should be for HIPAA purposes: logging. A second gap that we identified, in the area of encryption, is not a problem for HIPAA compliance (surprisingly, encryption of data isn’t mandatory under the current requirements), but we nonetheless decided it was a failing that could contribute to customers’ reluctance to use our application.

For HIPAA, companies have to create, enable, collect and store a lot of log data. You need to know who accessed data and whether they just viewed it or changed something. If they did make changes, you need to know when they changed it and the previous value before the change was made. Was a report generated, and did that report contain any PHI? Was data transferred to a third party via our API or some other data-delivery mechanism? If so, what data was transferred, where did it go and who initiated the activity? All of the log data needs to be available in a timely manner and retained for a certain period of time. To make all of that possible will require a considerable amount of engineering effort.

Encryption is also problematic. We already encrypt things such as passwords and credit card data (which is, of course, a PCI requirement). But our application architecture makes it extremely difficult to encrypt all data in the database, because application performance would take a hit, and we are very sensitive to our customers’ needs for a high-performing application.

We could offload encryption to a third party, we could encrypt the entire hard drive, or we could encrypt data at the application layer, which would provide encryption at rest.

The operations team was leaning toward encrypting the hard drives, because options that are fairly easy to deploy are available. I agreed that it would be easy to do, but I objected that the method wouldn’t really be effective from a security perspective (and encryption is one thing that should be all about security). When you encrypt a hard drive, you are ensuring that anyone who comes into possession of that drive can’t access the data. In other words, the only way such encryption would protect the company would be if the hard drive were stolen. Now, the likelihood is infinitesimally small that a bad guy is going to determine where our highly secure data center is located; get past the security guards, man traps and biometrics; and then figure out which of the hundreds of drives to pull out.

Encrypting the data as it sits in the database is more secure, but it requires a considerable amount of coding. Besides encrypting the required data, you have to be able to unencrypt it when it’s needed in reports, visually rendered in the application or called up during other required data-delivery operations.

Now that the gap analysis is complete, the findings will be presented to the executive staff, which will make a business decision: Is it worth the time, money, resources and shifting of other priorities to become HIPAA-compliant, or do we continue to turn away business?

Phrasing the question like that should do the trick.

This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at

Click here for more security articles.

Join the CSO newsletter!

Error: Please check your email address.

More about Click

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by By Mathias Thurman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place