When prevention hardly works, establishing ineffective prevention protections, creating and running compliance-monitoring entities, and monitoring providers and payers are especially troubling. While we must punish cyber criminals, it is critical to focus our efforts on protecting and helping victims. This makes far more sense than continuing to pay exorbitant amounts for theft prevention, when the data is as good as stolen. A mechanism like the Health Insurance Portability and Accountability Act (HIPAA) does little for us. It is fundamentally about privacy, not security. While it does address part of the problem by penalizing organizations responsible for inadequately protecting data, we often fail to fully understand that it does not necessarily penalize the many perpetrators who actually committed the crime. 1 Of course, remedying this oversight means swallowing an uncomfortable truth, accepting the sanctity of our privacy, security, and identity as illusions.
We could focus on and invest in improved remediation. As an example, we all too often offer remedies that are nowhere near enough. As an “apology” we frequently provide insufficient free credit monitoring for one to two years. What about 5, 10 or 15 years from now? And what about the non-financial impact – like preventing life-threatening health events as in the earlier example of a mismatched blood transfusion and ensuing reaction?
We are not suggesting discarding prevention efforts entirely. However, in this post-secure world other perspectives are necessary. Philosopher R. H. Blyth put it best: “perfection means not perfect actions in a perfect world, but appropriate actions in an imperfect one.” 2
In other words, we cannot entirely (or perhaps even partially) prevent data breaches and ensuing identity theft.
Whatever level of pre-theft protection we employ is at best a deterrent for the alienated novice, but not the experienced hacker, e.g., organized crime or nation states like China. Posturing and reassurances sound good in the sales brochure, but those are empty promises. Likewise, complicated and expensive prevention regulations and the corresponding cost of understanding and implementing them take valuable resources away from actually solving the problem. So what is appropriate? What is possible? Making the theft less meaningful, reducing the impact on victims, and focusing our resources and energy where they are most needed and of greatest benefit.
Penalizing slow detection, as opposed to disclosure time, could incentivize organizations to proactively engage their customers in faster remediation activities like credit reporting. Compliance audits might force organizations to financially reimburse their customers for the services rendered (e.g., inappropriate charges incurred due to stolen identity) in a timely and non-confrontational manner. Any option we choose is fraught with risk and varying degrees of effectiveness. But focusing on how any option manages the balance between confidentiality, integrity and availability is a good way to evaluate alternatives.
In summary, we must begin by asking what we really want and what we really need, instead of implementing stopgap measures that are merely illusions on top of illusions. We should focus on safeguarding everyone, since we should assume we are all identity theft victims. And if privacy and security are really our concerns, we could enforce lifetime financial and medical identity “credit” monitoring as the responsibility of those who failed to secure that identity and anyone convicted of the theft. As a corollary to the idea of affordable health care, we should act with intent by automatically providing every person with the means to monitor their privacy, security, and identity, and never assume that those who can afford those services or those that are victims are the only ones worth protecting.
Is prevention worthwhile for health IT security? Certainly. It is extremely important. But remediation is a greater goal given prevention does not really work. Furthermore, remediation will help us achieve the triple aim of improving care quality, lowering cost and increasing patient satisfaction. So instead of blindly wasting massive expenditures locking the barn door to protect a stolen horse, let’s shift some of that investment into one more dimension of helping change quality of life for health care recipients, for the better.
- Gellman, Robert, October 2006. Crimes and Sanctions: Current Controversies over HIPAA’s Criminal Penalty. Journal of the American Health Information Management Association (AHIMA), Volume 77, Number 9 ↩
- Blyth, R. H., Zen and Zen Classics: From the Upanishads to Huineng. The Kokuseido Press, Tokyo, and Charles E. Tuttle Co., Inc., Rutland, Vermont. 1960 ↩
Tags: cyberattack, cybersecurity, health identity theft, HIPAA, HIT, identity theft victims, personal health information, security breach, theft prevention, theft prevention costs. Bookmark the permalink.