The University of Rochester Medical Center (URMC) has agreed to pay $3 million to the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services (HHS), and take substantial corrective action to settle potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules.

#Chousangle - This is an area where, on the surface, it looks like an easy fix where every device such as a thumb drive and laptop should be encrypted. Encryption of the device is the easier part. The challenge comes down to setting up a security program, as stated in the correction action agreement.

A third party consulting entity will conduct the risk analysis to identify the gaps. Once you have the gaps identified, the technical debt on the network infrastructure will be identified.

2. Will budget be allocated to support the next generation secured infrastructure or will the health system take 3-5 years on the infrastructure redesign and implementation, creating a constant state of hardware refresh?

3. Enterprise risk needs an organizational owner. Who is accountable for enterprise risk? This has to be the COO or someone leading operations and not the CIO.

4. An important key area is to design a security program, including the right governance structure vs. checking off the box on the audit.

5. Will research institutions comply with the organization's security protocol?

6. How will we hold employees accountable for failing to comply with the security guidelines?

These are just a few notes off the top of my head. What are your thoughts?