Why check-box HIPAA compliance won’t prevent data breaches

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

(Editor’s note: A recent study of 243 hospitals measured how “operationally mature” organizations were more likely to be motivated by actual security concerns rather than just complying with privacy rules. In this guest essay, a co-author of that study, Dr. M. Eric Johnson, dean of Vanderbilt’s Owen Graduate School of Management, explains the significance.)

Imagine a security breach in the healthcare industry. Sensitive identification and health information gets exposed. Such a breach may simply result in the embarrassment of showing how many plastic surgeries you really had.

But it could also result in social stigma or lead to financial or medical fraud. Stolen healthcare records can be used to commit medical identity theft where individuals assume the victim’s identity to receive medical treatment resulting in potentially life-threatening changes to medical records. Victims can spend years trying to correct their medical records.

By the close of 2013, over 200 breaches affecting nearly 6.5 million Americans were reported to the US Department of Health and Human Services. And many analysts believe 2014 will be even worse.

More: Healthcare data at risk – Why medical records are easy to hack, lucrative to sell

As the Affordable Care Act drives more digital activity, new threats will emerge that will likely result in additional breaches. It is time for healthcare executives to make a security plan for 2014 and avoid becoming the next security breach headline.

In a research article that went to press in December, my co-authors and I show just how important planning is. Examining data from 243 hospitals, we find that while compliance with state and federal IT security mandates like HIPAA helps the worst hospitals protect patient information better, organizations that maintain and regularly update a security plan get far more from their security investments.

Eric Johnson531px

We define these organizations as “operationally mature.” These strategic plans — along with periodic reviews — enable organizations to learn of potential new risks and evaluate their own security posture. As a consequence, organizations’ security resources are better targeted to address their specific needs and the environments in which they operate.

Our results show that the impact of security investments varies depending on the operational maturity of the organization. In operationally immature organizations, compliance significantly improves actual security while surprisingly it does not have any impact in operationally mature organizations.

Furthermore, our findings suggest that operationally mature organizations are more likely to be motivated by breach occurrences than by compliance with federal and state security standards. By contrast, operationally immature organizations are more likely to be motivated by standards compliance than actual security.

We conclude that security resources appear to be more strategically planned and executed in operationally mature organizations. This results in complementary effects that improve overall security performance.

Based on our analysis, we argue that policymakers should focus on providing guidelines designed to help healthcare organizations achieve operational maturity regarding IT security rather than simply imposing single-solution compliance requirements.

Similar to teaching a person to fish, regulations should encourage organizations to actively develop and maintain their own action plans rather than providing check-box requirement lists.

More on emerging best practices

Encryption rules ease retailers’ burden
Tracking privileged accounts can thwart hackers
Impenetrable encryption locks down Internet of Things