We’re now eating the exhaust of the massive Anthem breach and predictably, a Google search serves up hundreds of commentary pieces about this being the wake-up call, the call to arms, a turning point for healthcare data security.

Whatever. Security experts can write as many treatises as they want about what new and improved data security methods need to be applied, but the hard truth is that the healthcare industry has never made an effort to have a serious conversation about real-world security. Instead, the industry has conditioned itself to talk and think about compliance, which many have learned the hard way is an entirely different matter. And whatever happens next in terms of regulatory actions, it likely will continue to do so.

Healthcare data security by and large rolls up to an executive whose background is in compliance. And that’s great if you as a C-suite leader want to check off on all your HIPAA privacy/security requirements and sleep well at night. You have elaborate, role-based data access matrixes, you’ve spent treasure on making sure nurses aren’t sharing passwords, and workstations are angled properly so passing staffers or patients can’t read what’s on screen. And you’ve convinced physicians that if they have water-cooler conversations about their patients, or even heaven forbid send an e-mail that contains “exposed” personal health information, you’ve got the torture chamber fully staffed.

These are exercises in compliance, not in actually keeping data secure. The HIPAA security standard contains a number of “addressable” and “required” specifications, and in the compliance mindset these are often construed as specifications you have to implement, and addressable specifications that you pour a lot of energy and billable lawyer hours into documenting why you can’t possibly implement, while throwing in an alternative security measure that can pass the compliance smell test but is completely inadequate out in the digital jungle. Especially in light of how incredibly attractive healthcare data, combined as it often is with Social Security Numbers, home addresses and rich financial information, is to villains both foreign and domestic.

The cavalier attitude toward data at rest is a glaring example. Someone who spent their career in security would reflexively focus on the vulnerability of databases which are a couple of passwords and third-party contractors away from being completely exposed. They wouldn’t be thinking about coming up with excuses about how encryption would pose an unreasonable burden to operations; instead, they would focus on using it as the rule, not the exception. And while they’re at it, they would probably think “company-issued unencrypted laptops … really?”

But that’s not how the healthcare industry rolls. Hopefully true security experts can convince organizations to stop talking about compliance and instead have some intense conversations around actual data security. Compliance exists in a realm where documentation, not results, is the real goal, and all data is safe if you have the proper paperwork to show regulators. You can draw unwelcome parallels here to the meaningful use incentive program, where electronic health record systems that meet all the requirements are being “meaningfully used” in the estimation of everyone except the physicians who actually use them.

Compliance should be a byproduct of data security planning and a host of other health IT efforts, not the purpose.

Register or login for access to this item and much more

All Health Data Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access