Scoff (definition): to speak to someone or about something in a scornfully derisive or mocking way.
(synonyms): mock, deride, ridicule, sneer at, jeer at, jibe at, taunt, make fun of, poke fun at, laugh at, scorn, laugh to scorn, dismiss, make light of, belittle

How could that feel?

We just need to ask the leadership at the DEA, the VA and SSA!

Rep. Ted Lieu (D-CA) apparently didn’t pull any punches at the House Oversight and Government Reform Committee hearing regarding the data breach hack of the Office of Personnel Management (OPM) affecting 4 million federal employees. According to a blog by Jedidiah Bracy on the Privacy Association website, Rep. Lieu “scoffed at the agency for not conducting a risk assessment, calling it a ‘failure of leadership,’ something that goes beyond the OPM” and called for the resignation of leadership “for the good of the nation.”

It’s not an unreasonable demand. What protectors of health and personal information don’t understand the need, not to mention the regulatory requirements, to do a risk assessment?

Why You MUST Conduct a Risk Assessment

  • It’s required for HIPAA-HITECH
    • Leon Rodriquez (former OCR director) has told us:
      “… what we’re seeing over and over again is the failure to do a thorough risk analysis…”“… risk analysis will be one of the areas of focus…” [in the 2015 OCR audits]
    • Jocelyn Samuels (current OCR director) has told us:
      “We continue to see a lack of comprehensive and enterprise-wide risk analysis and risk management that leads to major breaches and other compliance problems,”“When the OCR investigates a breach, we not only look at what was done to correct and remedy a breach but what led to the incident to determine if noncompliance played a part. Comprehensive enterprise risk analysis followed by … timely risk management practices is the cornerstone of any good compliance program.”
  •  It’s required for Meaningful Use –
    • Did you know that 25% of Practices are Failing Meaningful Use Audits? A provider that fails just one element of a Meaningful Use audit not only must return the entire incentive payment for that year, but also is automatically scheduled for another audit for another participating year.The most common problems identified so far are noncompliance with a required data security risk assessment…
  • It’s the first thing on government investigator’s and auditor’s list of “must do”
  • It’s essential business risk management.

Yet, according to Ponemon’s Fifth Annual Privacy and Security of Healthcare Data Report, more than 1/3 of health care organizations and their business associates admitted to only using an ad hoc process to determine residual risk, even following security incidents involving electronic documents.

Come on people, this is not whack-a-mole!

Scoffing is The Least of Your Worries

It’s not like all we have to worry about is a dress-down by public officials following a breach- it’s expensive- Investigation, Mitigation, Remediation, Notification, ID Protection, Distraction… and that ain’t all: Patients sue! Shareholders sue! And THEN leaders lose their jobs.

As Warren Buffett once said “Risk comes from not knowing what you’re doing.” Don’t mess around with thinking for reasons not to do it – just do it!

Some additional resources:

Contact us today to learn more about our Risk Assessment solutions

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.