Pratum Blog

Are you a business associate of a covered entity as defined by HIPAA? If so, you need to read the following excerpt from the American Recovery and Reinvestment Act.








164.310, 164.312, and 164.316 of title 45, Code of Federal Regulations,

shall apply to a business associate of a covered entity in

the same manner that such sections apply to the covered entity.

The additional requirements of this title that relate to security

and that are made applicable with respect to covered entities shall

also be applicable to such a business associate and shall be incorporated

into the business associate agreement between the business

associate and the covered entity.



case of a business associate that violates any security provision

specified in subsection (a), sections 1176 and 1177 of the Social

Security Act (42 U.S.C. 1320d–5, 1320d–6) shall apply to the business

associate with respect to such violation in the same manner

such sections apply to a covered entity that violates such security



Do I have your attention now?

For the past 6 years only covered entities such as physicians, health plans or healthcare information clearinghouses were required to comply with the infamous HIPAA security and privacy rules. Organizations that may have had access to protected health information (PHI) but were not covered entities (CE) were not required to follow HIPAA standards. Most business associate agreements (BAA) stated only that the BA would protect the information they obtained from or managed on behalf of a CE with due diligence. ARRA has changed the rules of the game. I'm actually surprised it took this long.

If you are a business associate of a covered entity then you need to prepare to take on some additional risk. Now that a BA is legally bound to the same standards, sanctions and fines for deficiencies are a new reality. Hopefully your business model was to comply with HIPAA from the onset knowing this day would come. If so, great. If not, you will be playing catch up for quite some time.

While there will surely be a ramp up period before heavy enforcement begins, you can be sure there are some examples to be made. Don't be one of them. Get your business leadership together and review your risk assessments, control standards and overall security posture. Even having a nightmare story to tell an auditor who shows up unexpectedly will go over a lot better than no story at all. Guaranteed.

I'm not a huge baseball fan who lives for the sport. I played little league and one season in high school. As an adult I've played men's league slow pitch softball for years. Mostly just for the exercise and to hang out with friends. For me personally, the game itself just doesn't elicit the response that football or basketball does. I do however love to see a classic duel between a pitcher's pitcher and a hitter's hitter. The way they stare each other down, size each other up, try to anticipate the pitch or swing. The sequence might go something like this.

Curveball, high and inside. BALL 1.

Swing and a miss at a fastball down the center. STRIKE 1.

Off speed change up down and away. BALL 2.

Foul tip into the stands. STRIKE 2.

Curveball just outside the zone. BALL 3

The home plate umpire yells….FULL COUNT


This is it. Down to 1 pitch, 1 swing. Pressure is on both parties to perform at their peak. Who's gonna flinch?


I feel this is where most organizations are with the federal government in regards to information security. Starring down a Full Count. They've pitched us some curveballs like SOX and some dead on heat like HIPAA. We've sat back and taken a couple of pitches to see what's Uncle Sam's arm is like. We've swung at a few but only gotten a piece of it. Or maybe we've driven it deep but slightly foul. We're staring down a full count with Uncle Sam. If we (Corporate America) don't start taking information security and privacy more seriously and knock one out of the park, Uncle Sam is going to throw a 102 MPH fastball down the pipe and we'll "go down lookin'" as they say. The writing is on the wall. Just look at some changes "hidden" in the 1000+ pages of the American Recovery and Reinvestment Act (ARRA) of 2009.

It has some interesting implications for the health care industry. Previously, the HIPAA privacy and security regulations only applied to covered entities. These were typically health care providers and payers such as hospitals, physicians, health insurance plans and health information clearinghouses. Business associates (BA) who had access to the data via a covered entity simply had to agree to protect the data in a similar fashion but weren't specifically bound by HIPAA. Nor could they be penalized under HIPAA for a data breach.

The ARRA has something called the Health Information Technology for Economic and Clinical Health (HITECH) provisions which will expand data privacy and security as defined under HIPAA. HHS is in the process of rolling out new guidance which is expected to significantly broaden the reach of data security and privacy for the health care industry. This will include forcing business associates of a covered entity to be bound by HIPAA rules and regulations as well as increasing penalties and allowing states enforce some of the penalties. HHS will be releasing their new HITECH regulations sometime this month, so over the next week I'll provide some guidance on what to expect.

In the first part of this discussion I spoke to those not currently in the IT career field. Now let's focus on those of you who are in IT but are being lured by the mysteriousness of InfoSec and Information Assurance. How do you prepare for the transition? What are job prospects like? What are the challenges?

Let's start with preparing for the transition. You need to jump out of your comfort zone. I can't say it more simply. Get uncomfortable and stay that way. Start doing some job shadowing in other IT disciplines. For instance, if you are a developer, spend some time with the infrastructure teams or volunteer to manage a project. If you are a network engineer, start learning some development methodologies or pick up a language. Developing a well rounded skill set in multiple disciplines will be critical. You have to be able to see the forest through the trees.

Certainly you can choose to specialize in a security focused discipline as well. You could only do forensic analysis, code review, penetration testing, risk analysis, PKI or any number of other things. If you really love it and are happy with the compensation and future opportunities then go for it. I usually recommend people pick up some additional skills though. As technology advances, markets change, etc. you may find yourself being forced into doing something different. You want to be ready for that before it actually happens. Being somewhat diversified can also provide you some credibility. When you're an expert in one area but can speak intelligently to all disciplines in the room…Wow.

Next is to consider a professional or technical security certification. CompTIA's Security+ is a good place to start. It's an entry level technical certification which may help you decide if security is even right for you. Then you can move into some of the advanced tracks such as SANS GIAC certifications or the CISSP from (ISC)2. While certifications alone don't prove anything, when combined with experience and education they can help convey your skills and abilities to hiring managers.

As with any major shift in a career you might have to consider taking a lower level position than what you're accustomed to in your current career. Breaking into a new role can be difficult. Given the shortage of security professionals we're now facing I doubt many of you will need to do this if you've followed the steps above. A search on for the words CISSP OR security OR GIAC yielded just over 10,000 positions. Granted there is some duplication there but you get the picture. Try a search for DBA or CCIE and you get about 20% of that. This is a great field to be in and it's only going to get better.

A common mistake people make is to join security so they can force people to do something they couldn't otherwise make them do, like patching or implementing change management. Sorry to tell you this but security can't make anybody do anything. And if you try…you doom any chance you had of earning respect in the organization. Our role is to identify risk and help determine ways to reduce that risk to acceptable levels. Only the business unit leadership can choose to accept or reject risk. It's their data and process so it's also their head on the chopping block. Security should be a trusted advisor to the business, not heavy handed thugs. Does this get frustrating at times? Sure. However once you accept your role in the BUSINESS, things get easier.

My last bit of advice is to find a mentor. They can help you learn about different career options, pick good educational opportunities or even help you land a job in the field. I have mentored several people over my career and it's been a great experience for both sides. Mentors are rich sources of information, have lots of experience and networking contacts. The relationship will only be a fruitful as you make it though. Don't expect your mentor to do much of the work. That's your job.

If you're thinking of getting into information security I welcome you with both arms. We need more in the ranks. Do it for the right reasons though. You're not going to be popular, have lots of perks thrown at you or be the envy of all your friends. There are a lot of late nights, lonely lunches and some very uncomfortable discussions you'll need to have with people at all levels of the organization. If that appeals to you, and I'm not entirely sure why it would, then welcome to the party.

If you are considering Information Security as a profession and are looking for a mentor I'd be happy to interview you. I only maintain a couple of mentee relationships at a time. If we're not a good match I may be able to help you identify another mentor.

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.