Educause Security Discussion mailing list archives
Re: Research Expectations
From: "Piazza, John" <jpiazza () ITS UAB EDU>
Date: Fri, 5 Jul 2002 11:54:51 -0500
Much of the money I have seen spent on hipaa has come from large organizations letting consultants persuade healthcare centers that HIPAA is similar to y2k without an end in sight - nice work if you can get it and can still sleep at night. I know of two prestigious organizations personally who spent over five hundred thousand each to have a consultant come in do a "gap analysis" and tell them that they were not hipaa ready _ kind of lack getting hit in the head with a board - how could anybody be hipaa ready before the law is even finalized or even existed for that matter - it gets more specific but I will spare you the details. My understanding of HIPAA is it is scalable and also allows for various gradients of security depending on the situation - from public use - which inherently has minimal technical security - technically- up to highly classified information - such as defense work or bio-terrosism research use and still allows for manageability instead of chaos, guesswork(instincts) or ignorance as currently is so predominant. 75-80%of hipaa security is education and policy and training and the remainder is technical. It stretches from very basic security needs - such as somebody has to be assigned the security responsibility up to dictating that information must be secure across the network whether it is open or closed and different levels of background checks on systems people etc. if it overlooks anything I am not sure what it is. It reminds me of the OSHA act in its comprehensive nature - which many may also disagree with as being expensive and bureaucratic - until you start looking at the accident numbers of industries and companies that target osha as a minimal standard and act accordingly and reap the rewards or assume it is another government conspiracy to take the guess work out of keeping your people safe and fight it all the way down the line in one form or another ranging from "we can't afford it to it is not good enough therefore we will do nothing". John Piazza HIPAA Compliance Officer/Data Security Officer The University of Alabama in Birmingham 205-975-0842 -----Original Message----- From: Wayne Wilson [mailto:wwilson () UMICH EDU] Sent: Friday, July 05, 2002 8:37 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Research Expectations Piazza, John wrote:
It depends on the type of research it appears, Marty.
Well, it's certainly true that human subjects research is highly scrutinized and clinical trials research can be regulated by the FDA to a higher standard (or perhaps just different concerns) than HIPPA.
. I am also hearing that all are looking to create congruence with the hipaa standard once it is finalized - soon. If you research thta you iwll find it is the most comprehensive and scalable law ever intorduced in healthcare, privacy, or security. It is very good stuff and a model higher ed/educause will be well advised to consider adopting - in short order. John
In the health care IT community HIPPA is often called the Y2K project that never ends. This is a comment on the amount of money that has so far been spent, with no end yet in sight, not a comment on the effectiveness of the proposed measures. The issue here is the same one as in the other current thread about support dollars for IT being derived from current indirects. The bottom line is that this is all going to cost more money and that money has to come from somewhere. If you accept that current indirects are being spent on necessary costs, and that rate is not going to change, then it's hard to see how many of the improvements in security or operational robustness are going to be funded. One potential strategy is to encourage a shift in the kinds of hardware and software that are used. This also assumes (and this assumption needs to be checked) that researchers can be productive and IT support costs can be lowered by using a combination of commodity hardware and open source software, for example. Openbsd was mentioned in an earlier post, there are also several variants of linux such as the the NSA sponsored secure linux. This strategy was designed to work in a zero sum economic situation. Another, parallel strategy would attempt to work in a non zero sum economic situation, i.e. calling for higher re-imbursements. Yet another strategy would be to stratify the kinds of IT support needed for various forms of research. It should be clear that a single strategy guided by the assumptions that all information is confidential (the HIPPA approach) does not necessarily need to be applied to all research. That would make some kinds of research more expensive than others, and perhaps alter the kinds of research that particular institutions would be willing to undertake. Common and clear criteria for such stratification would need to devised. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html. ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/memdir/cg/cg.html.
Current thread:
- Research Expectations Marty Hoag (Jul 03)
- <Possible follow-ups>
- Re: Research Expectations Piazza, John (Jul 04)
- Re: Research Expectations Wayne Wilson (Jul 05)
- Re: Research Expectations Jere Retzer (Jul 05)
- Re: Research Expectations Piazza, John (Jul 05)