Learn More

Categories

Recent Posts

Archives

Recommended Resources

Miscellaneous

Business Blogs - Blog Rankings

« Intellectual Property Theft - Goldman Sachs | Main | Mark Brooks »

HITECH Act Compliance

Recently, Brian Wolfe who heads the Security and Compliance practice at Laurus Technologies, commented in this article about the need for the health care sector to ready themselves for electronic health records (EHRs).  In fact, some of the changes and dictates to move to EHRs are found in the recently approved HITECH Act.

ImagesI agree with Mr. Wolfe that ISO 27001:2005 provides a great foundation for organizations to ready themselves for the necessary changes and controls to process EHRs.  I think IT Security professionals should appreciate that their business partners would be apprehensive in leveraging standards like those from ISO.  I think some of the apprehension is in part driven by how Information Security professionals position the use of "industry standards" and the stereotypes that are easily developed given the use of the word "standards".  It is important to remember that standards like ISO 27001:2005 are voluntary.  In fact, ISO states at their website that "ISO standards are voluntary."

I believe you are more likely to be succesful in implementing industry standards and ultimately enabling business strategies by applying standards from the perspective that they are truly VOLUNTARY.  There are many IT Security professionals that will say, "I know standards are voluntary", but many don't operate that way.  Too often I have ended up in long debates about whether to implement certain standards because IT Security professionals end up engaging and behaving in the debate like industry standards are non-negotiable.  I have to admit, I have sometimes fallen into that trap myself...

The ISO 27001 ISMS specification as well as ISO 27002 the Code of Practice Information Security, provide great guidance to companies for establishing the systems and controls for securing information and enabling compliance.  Companies should leverage the use of ISO 27001:2005 for HITECH Act compliance, but should also view them as best practice guidance vs being mandatory.  Viewing these standards as best practice guidance also supports a risk based approach to securing information.

Mark Brooks

Posted at 09:03 PM in Compliance and Ethics, Information Security Strategies |

Technorati Tags: , , , , , , , , , , , , , , , , , , , , , , , , , ,

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a01156fbeecf2970c011571dd2167970b

Listed below are links to weblogs that reference HITECH Act Compliance:

Comments

Feed You can follow this conversation by subscribing to the comment feed for this post.

Verify your Comment

Previewing your Comment

Posted by:  | 

This is only a preview. Your comment has not yet been posted.

Working...
Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.

Working...

Post a comment

Comments are moderated, and will not appear until the author has approved them.

Connect w/Mark

Blogroll

Reading or Recently Read