[txcwpalpha]

I spent years as a infosec consultant specialized in major healthcare companies, and my experience is completely the opposite. It is absurdly easy to be 'compliant' with the HIPAA security rule yet still have abysmal security.

The biggest issue IMO with the HIPAA SR is that it is first and foremost a legal matter that involves legal teams, and is not very good at being a technology matter that effectively prescribes security to security teams. Most of the HIPAA-motivated companies I worked with spent more effort getting their legal counsel to build a HIPAA litigation shield (via intercepting and carefully massaging the wording of security assessments) than they did getting their security teams to actually improve anything.

I did have some clients that saw HIPAA as only a foundation and guidelines for truly improving their security, but that was more a matter of the company actually caring about security, and not because the HIPAA security rule is actually effective.

[nradov]

There will always be some organizations that do the minimum necessary to check some sort of "compliance" checkbox. However you can't deny that overall the healthcare industry as a whole has better security and security controls than they would if HIPAA had never been enacted.

[txcwpalpha]

I absolutely do deny that. Of the many healthcare companies I worked at, small 50-200 people shops and massive F500 companies and everything in between, I don't think HIPAA* made any kind of material difference in their security maturity.

The companies that were actually good at security merely used HIPAA as a starting point, and sometimes had to divert resources away from actual security efforts just to meet redundant HIPAA audits. They would just as easily get by with any of the other myriad of security frameworks out there.

The companies that were bad at security either: 1) mostly ignored HIPAA because in many cases it's easier to just buy insurance to cover the cost of a breach, 2) viewed HIPAA as a legal matter and got lawyers involved, who many times actively impeded security infrastructure efforts (fines are less for a HIPAA breach if you "weren't aware" you were doing anything wrong, which leads to companies intentionally avoiding security assessments or altering them to read "everything is fine!" even when they know it's not), or 3) viewed HIPAA as a checklist and once they achieve HIPAA compliance, they think their security is good enough and stop investing in it (hint: achieving HIPAA compliance does not mean you have good security. not even close).

I certainly do contend that HIPAA has not benefited the security of the healthcare industry as a whole. IME, it may have very well hurt it.

* - I'm speaking specifically of the HIPAA security rule and it's effect on organizations' security maturity. In other areas, like patient privacy and disclosure rules, it does seem to have had an effect closer to what is intended.

[rhacker]

I'm not sure doing anything different or better would have a material difference in how much a breach will cost let alone the need to have insurance companies to cover them. Yes it's a lot of buggyman auditing and such, but in the end a breach is a breach and companies will do anything they can do downplay the cost. At least with the rules there is a workflow and process to go through when the breach happens.

When all is said and done it's really the organization. I don't know how many bigcorps I've been at that were just totally inept. The existence or not of HIPAA would not change their ineptness.

[didericis]

I’m not sure if we can really confirm HIPPA’s effectiveness that readily; we don’t live in a non-HIPPA world, so we can’t compare the outcomes.

If hospitals faced zero consequences for losing customer data, then yeah, things would probably be worse. But HIPPA is two things: a set of mandatory requirements and a grounds for suing hospitals that lose/misuse data. I think the latter thing is effective, but the former is not.

[Kalium]

High-quality regulatory regimes are ones where bare-minimum checkbox-driven compliance yields good-enough results. Low-quality ones resemble kabuki, which I've personally witnessed in companies doing PCI self-certification.