Why check-box HIPAA compliance won’t prevent data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: A recent study of 243 hos­pi­tals mea­sured how “oper­a­tional­ly mature” orga­ni­za­tions were more like­ly to be moti­vat­ed by actu­al secu­ri­ty con­cerns rather than just com­ply­ing with pri­va­cy rules. In this guest essay, a co-author of that study, Dr. M. Eric John­son, dean of Vanderbilt’s Owen Grad­u­ate School of Man­age­ment, explains the significance.)

Imag­ine a secu­ri­ty breach in the health­care indus­try. Sen­si­tive iden­ti­fi­ca­tion and health infor­ma­tion gets exposed. Such a breach may sim­ply result in the embar­rass­ment of show­ing how many plas­tic surg­eries you real­ly had.

But it could also result in social stig­ma or lead to finan­cial or med­ical fraud. Stolen health­care records can be used to com­mit med­ical iden­ti­ty theft where indi­vid­u­als assume the victim’s iden­ti­ty to receive med­ical treat­ment result­ing in poten­tial­ly life-threat­en­ing changes to med­ical records. Vic­tims can spend years try­ing to cor­rect their med­ical records.

By the close of 2013, over 200 breach­es affect­ing near­ly 6.5 mil­lion Amer­i­cans were report­ed to the US Depart­ment of Health and Human Ser­vices. And many ana­lysts believe 2014 will be even worse.

More: Health­care data at risk — Why med­ical records are easy to hack, lucra­tive to sell

As the Afford­able Care Act dri­ves more dig­i­tal activ­i­ty, new threats will emerge that will like­ly result in addi­tion­al breach­es. It is time for health­care exec­u­tives to make a secu­ri­ty plan for 2014 and avoid becom­ing the next secu­ri­ty breach headline.

In a research arti­cle that went to press in Decem­ber, my co-authors and I show just how impor­tant plan­ning is. Exam­in­ing data from 243 hos­pi­tals, we find that while com­pli­ance with state and fed­er­al IT secu­ri­ty man­dates like HIPAA helps the worst hos­pi­tals pro­tect patient infor­ma­tion bet­ter, orga­ni­za­tions that main­tain and reg­u­lar­ly update a secu­ri­ty plan get far more from their secu­ri­ty investments.

Eric Johnson531px

We define these orga­ni­za­tions as “oper­a­tional­ly mature.” These strate­gic plans — along with peri­od­ic reviews — enable orga­ni­za­tions to learn of poten­tial new risks and eval­u­ate their own secu­ri­ty pos­ture. As a con­se­quence, orga­ni­za­tions’ secu­ri­ty resources are bet­ter tar­get­ed to address their spe­cif­ic needs and the envi­ron­ments in which they operate.

Our results show that the impact of secu­ri­ty invest­ments varies depend­ing on the oper­a­tional matu­ri­ty of the orga­ni­za­tion. In oper­a­tional­ly imma­ture orga­ni­za­tions, com­pli­ance sig­nif­i­cant­ly improves actu­al secu­ri­ty while sur­pris­ing­ly it does not have any impact in oper­a­tional­ly mature organizations.

Fur­ther­more, our find­ings sug­gest that oper­a­tional­ly mature orga­ni­za­tions are more like­ly to be moti­vat­ed by breach occur­rences than by com­pli­ance with fed­er­al and state secu­ri­ty stan­dards. By con­trast, oper­a­tional­ly imma­ture orga­ni­za­tions are more like­ly to be moti­vat­ed by stan­dards com­pli­ance than actu­al security.

We con­clude that secu­ri­ty resources appear to be more strate­gi­cal­ly planned and exe­cut­ed in oper­a­tional­ly mature orga­ni­za­tions. This results in com­ple­men­tary effects that improve over­all secu­ri­ty performance.

Based on our analy­sis, we argue that pol­i­cy­mak­ers should focus on pro­vid­ing guide­lines designed to help health­care orga­ni­za­tions achieve oper­a­tional matu­ri­ty regard­ing IT secu­ri­ty rather than sim­ply impos­ing sin­gle-solu­tion com­pli­ance requirements.

Sim­i­lar to teach­ing a per­son to fish, reg­u­la­tions should encour­age orga­ni­za­tions to active­ly devel­op and main­tain their own action plans rather than pro­vid­ing check-box require­ment lists.

More on emerg­ing best practices

Encryp­tion rules ease retail­ers’ burden
Track­ing priv­i­leged accounts can thwart hackers
Impen­e­tra­ble encryp­tion locks down Inter­net of Things