A good article in InfoSecurity on May 5th on the HITECH act got me thinking (as good articles should) about health records, security, and well, all things HIPAA-ish.
I certainly agree with much of what was said, and I think it’s clear that the pressure is ramping up rapidly to not only comply with HITECH, but to do so in a way that is secure. Because there, you see, is the rub. If there’s anything that the last few years of PCI-DSS (Payment Card Industry Data Security Standard) has taught us, it’s that being compliant doesn’t guarantee a whole lot when it comes to keeping data secure.
Compliance with any standard, whether that’s HIPAA/HITECH, PCI-DSS, NERC CIP or your acronym of choice, is a way of measuring, usually at a broad-brush level, whether the basics for good security are getting done. It isn’t a measure of whether you’re likely to get breached, but rather an assurance that the minimum level of attention is at least being paid to the problem.
Sadly, media reports highlight soo many organizations that learned this lesson the hard way.
One of the nice things about compliance, however, is that it provides a framework for discussing what’s working, what’s not, and increasingly, a way to bring some market pressure to organizations who have had less than stellar security in the past. A little sunlight gets shone into the dark corners of the security closet.
So I took my browser over to the Department of Health and Human Services site where they list the breaches of health records covered under HITECH (affecting 500 or more individuals). Over the last six months over 1.3 million records have been breached. Sadly, given the scale of some of the more notorious credit card breaches, which are measured in the tens of millions, that number doesn’t even seem that large. The difference here, of course, is that the information being breached isn’t just your credit card number; it’s a lot more than that. This is information that is about as personal and private as you can get.
The fact is that while any regulation around protecting healthcare information is a good start and should be applauded and supported, there is clearly a long way to go to keep our highly sensitive, and unfortunately, very valuable, personal information out of the wrong hands.
Many of the breaches recorded are the result of laptop or other electronic device theft, while a significant number are also associated with paper records. Both of these would suggest there are some significant process problems to be addressed above and beyond the technical security controls we often see discussed.
While it can be unnerving reading, breach notifications like the aforementioned do ultimately force organizations to take information security far more seriously. And, perhaps HITECH will have the same effect on healthcare records that the oft-maligned PCI-DSS has had on credit card data – raising the discussion to the boardroom and making senior decision makers sit up and take notice.
If that happens, then HITECH will be a success.