The HIPAA Security Rule, created in 2003, establishes national standards to protect individuals’ electronic health information that is created, received, used, or maintained by a covered entity. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was signed into law, addressing some of the privacy and security concerns associated with the electronic transmission of health information. While the HITECH Act allows for greater enforcement of data breaches, what it does not do is strengthen the security standards by which the healthcare industry is held accountable. The question is: should HIPAA be updated so that the minimum standards are higher?
Recent research indicates that 91% of healthcare organizations have had at least one data breach over the past 2 years. Healthcare breaches are currently on the rise, with more than 91.7 million records breached already in 2015. The average cost of a data breach is $5.9 million per breach, higher than in any other industry.
One reason we see so many healthcare data breaches reported is because the compliance laws in healthcare are quite a lot more stringent, so more data breaches are reported. The healthcare industry is also one of the most highly targeted industries because healthcare data is the most valuable to cybercriminals; more attacks lead to more breaches.
It is obvious that healthcare data breaches are a problem, the question then would be if revising HIPAA could help curb these data breaches. There are many articles talking about how HIPAA is not enough and how HIPAA is outdated, and we can’t argue with that. HIPAA doesn’t reflect the current issues of healthcare data protection, not when it comes to mobility or the Internet of Things, or EHR or the cloud.
One of the problems affecting the creation of national standards such as HIPAA is how quickly such standards would become obsolete. The risk landscape is always shifting, as is the influx of new technology. Would a revision to HIPAA now foresee how data is created and used in the cloud, on mobile devices, or on the variety of wearable devices entering the marketplace?
Some people argue that there should be a base set of “security controls” that would help secure and promote the interoperability of healthcare data. While updating HIPAA could indeed help with interoperability, it doesn't necessarily help reduce the number of data breaches affecting healthcare. National standards such as HIPAA will never go far enough to create a perfect breach-proof organization.
Security standards only ever serve as a baseline upon which more layers of security are added depending on individual risk assessments. Processes and education serve to further tighten security, given that most breaches are still the result of a simple mistake. As the article on Health IT Security notes, mega breaches such as those at Primera and Anthem don’t offer red flags that these organizations did something “wrong”, but that a persistent attacker will be successful, in time. Healthcare organizations need to focus on more than incident prevention, as incident detection and response can go a long way to mitigating the fallout of a breach.
While data breach figures paint a picture of lax security among healthcare organizations, from our experience in working within many industries, we see healthcare organizations as ahead of the game in many areas. Increased regulatory pressure, greater audits and fines, and greater public scrutiny have led to a level of IT security expertise in healthcare that is unrivalled in other industries. Faster than in other industries, healthcare professionals have realized that best practices and national standards are just not enough.
Yes, healthcare organizations are being held accountable by HIPAA standards. And yet, we don’t believe updating HIPAA would strengthen the healthcare industry; we already see healthcare organizations going above and beyond HIPAA in creating their security programs. We think the healthcare industry is far ahead of many other industries in terms of preparedness and will continue to support them in their efforts to improve. If your organization is looking to increase its cyber-security posture, get a free 30 Day Trial of Absolute today.