Re: Research Expectations

["Piazza, John" <jpiazza () ITS UAB EDU>]

Much of the money I have seen spent on hipaa has come from large
organizations letting consultants persuade healthcare centers that HIPAA is
similar to y2k without an end in sight - nice work if you can get it  and
can still sleep at night. I know of two prestigious organizations personally
who spent over five hundred thousand each to have a consultant come in do a
"gap analysis" and tell them that they were not hipaa ready _ kind of lack
getting hit in the head with a board - how could anybody be hipaa ready
before the law is even finalized or even existed for that matter - it gets
more specific but I will spare you the details.

My understanding of  HIPAA is it is scalable and also allows for various
gradients of security depending on the situation - from public use - which
inherently has minimal technical security - technically-  up to highly
classified information - such as defense work or bio-terrosism research use
and still allows for manageability instead of chaos, guesswork(instincts) or
ignorance as currently is so predominant. 75-80%of hipaa security is
education and policy and training and the remainder is technical. It
stretches from very basic security needs - such as somebody has to be
assigned the security responsibility up to dictating that information must
be secure across the network whether it is open or closed and different
levels of background checks on systems people etc. if it overlooks anything
I am not sure what it is.
It reminds me of the OSHA act in its comprehensive nature  - which many may
also disagree with as being expensive and bureaucratic - until you start
looking at the accident numbers of industries and companies that target osha
as a minimal standard and act accordingly and reap the rewards or assume it
is another government conspiracy to take the guess work out of keeping your
people safe and fight it all the way down the line in one form or another
ranging from "we can't afford it to it is not good enough therefore we will
do nothing".



John Piazza
HIPAA Compliance Officer/Data Security Officer
The University of Alabama in Birmingham
205-975-0842

-----Original Message-----
From: Wayne Wilson [mailto:wwilson () UMICH EDU]
Sent: Friday, July 05, 2002 8:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Research Expectations

Piazza, John wrote:
> It depends on the type of research it appears, Marty.
Well, it's certainly true that human subjects research is
highly scrutinized and clinical trials research can be
regulated by the FDA to a higher standard (or perhaps just
different concerns)  than HIPPA.
> . I am also hearing that all are looking to create congruence with
> the hipaa standard once it is finalized - soon. If you research thta you
> iwll find it is the most comprehensive and scalable law ever intorduced in
> healthcare, privacy, or security. It is very good stuff and a model higher
> ed/educause will be well  advised to consider adopting - in short order.
> John
In the health care IT community HIPPA is often called the
Y2K project that never ends.

This is a comment on the amount of money that has so far
been spent, with no end yet in sight, not a comment on the
effectiveness of the proposed measures.

The issue here is the same one as in the other current
thread about support dollars for IT being derived from
current indirects.  The bottom line is that this is all
going to cost more money and that money has to come from
somewhere.  If you accept that current indirects are being
spent on necessary costs, and that rate is not going to
change, then it's hard to see how many of the improvements
in security or operational robustness are going to be funded.

One potential strategy is to encourage a shift in the kinds
of hardware and software that are used.  This also assumes
(and this assumption needs to be checked) that researchers
can be productive and IT support costs can be lowered by
using a combination of commodity hardware and open source
software, for example.  Openbsd was mentioned in an earlier
post, there are also several variants of linux such as the
the NSA sponsored secure linux.  This strategy was designed
to work in a zero sum economic situation.

Another, parallel strategy would attempt to work in a non
zero sum economic situation, i.e. calling for higher
re-imbursements.

Yet another strategy would be to stratify the kinds of IT
support needed for various forms of research.  It should be
clear that a single strategy guided by the assumptions that
all information is confidential (the HIPPA approach)  does
not necessarily need to be applied to all research.  That
would make some kinds of research more expensive than
others, and perhaps alter the kinds of research that
particular institutions would be willing to undertake.
Common and clear criteria for such stratification would need
to devised.

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at
http://www.educause.edu/memdir/cg/cg.html.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/memdir/cg/cg.html.