And, of course, the news doesn't bode well. As the Privacy Rights Clearinghouse notes, we've already surpassed 100 million records being exposed. Reports of such incidents still keep hitting, with Jan. 2 witnessing a hospital in Indiana notifying over 100 patients of potential exposure of their Social Security numbers.
The Congressional passage of the Health Insurance Portability and Accountability Act (HIPAA) in 1996 and its eventual Privacy and Security Rules, which went into effect in 2003, were supposed to help solve these problems. Unsurprisingly, not much has changed.
"This stands in stark contrast to the catalyzing effects of the Graham-Leach-Bliley Act and the Sarbanes-Oxley Act, which brought information security to the board level," says Jon Gossels, president and chief executive officer of information security consulting firm SystemExperts.
Which is strange given that guidance on the rules is ample through the National Institute of Security Standards and Technology (NIST) website, says Gossels.
So what gives? Is it HIPAA's lack of teeth? Lack of IT security knowledge among health care providers? Lack of funds? What?
According to Gossels, it's a combo package.
"These small businesses are not IT savvy and operate on tight budgets that have never included costs for information security," says Gossels.
And, yes, lack of enforcement plays its part too, he adds. Although the Health and Human Services Office for Civil Rights and the Department of Justice enforce the civil and criminal sides respectively, "it is clear that individual health care providers and the health care industry as a whole have concluded that HIPAA non-compliance poses...no business risk,"says Gossels.
This way of thinking is pure folly, though. When a breach of patient information does happen — and it will happen — the time and expertise required to rectify the situation, alongside the potential liability and the reputational impacts, will far outweigh the initial capital outlay and resources needed to enact measures to help prevent such compromises from occurring in the first place. With or without the security and privacy rules that legislation such as HIPAA lays down, preparing for the worst then hoping for the best is the way to go — really, the only way.
- Illena Armstrong is SC's U.S. editor-in-chief.