It looks like we’ve got a billion-dollar mismatch between rules and reality here. An established security research firm has released a study suggesting that while providers are working hard on meeting HIPAA and other security regs, their data isn’t any more secure than when it was before.
Kroll’s 2012 HIMSS Analytyics Report: Security of Patient Data, concludes that the rate of provider data breaches has been rising over the past six years, despite pressure on providers to conduct more security audits and otherwise tighten up their data ship.
What’s scary about this trend is that the healthcare institutions surveyed by Kroll don’t seem to be aware of the problem. Health IT execs rated themselves at 6.4 out of 7 (seven being “extremely prepared’) on their readiness to address data security. That’s up from 6.06 in 2010 and 5.88 in 2008.
But the data Kroll gathered suggests that they’re overconfident at best. It found that 27 percent of respondents had reported a breach during the past twelve months, up from 19 percent in 2010 and 13 percent in 2008. Worse, of those who saw breaches, 69 percent of providers had seen more than one breach.
Now, it would be easy to say that regs like HIPAA, Meaningful Use standards and the Red Flags rules are malformed, and that this is just another case of government getting it wrong to industry’s detriment. If there’s any truth to this notion, I do hope CMS leaders take notice and adjusts some of its requirements; Heaven knows they’d get plenty of credible, carefully thought-out feedback if they ask.
Unfortunately, though, I suspect far from being that easy. We’d all love it if we could just follow the rules, get government approval then say “stick a fork in it, security’s done.” But as readers know, security is such a complex mix of implementing technologies and changing inappropriate behaviors that it’s hard to tease out just what went wrong sometimes.
Still, it’s good to have an organization like Kroll remind us that meeting HIPAA requirements isn’t the be all and end all. Unfortunately, it’s really just the beginning.