|
|
|
|
|
|
by txcwpalpha
2562 days ago
|
|
|
I absolutely do deny that. Of the many healthcare companies I worked at, small 50-200 people shops and massive F500 companies and everything in between, I don't think HIPAA* made any kind of material difference in their security maturity. The companies that were actually good at security merely used HIPAA as a starting point, and sometimes had to divert resources away from actual security efforts just to meet redundant HIPAA audits. They would just as easily get by with any of the other myriad of security frameworks out there. The companies that were bad at security either: 1) mostly ignored HIPAA because in many cases it's easier to just buy insurance to cover the cost of a breach, 2) viewed HIPAA as a legal matter and got lawyers involved, who many times actively impeded security infrastructure efforts (fines are less for a HIPAA breach if you "weren't aware" you were doing anything wrong, which leads to companies intentionally avoiding security assessments or altering them to read "everything is fine!" even when they know it's not), or 3) viewed HIPAA as a checklist and once they achieve HIPAA compliance, they think their security is good enough and stop investing in it (hint: achieving HIPAA compliance does not mean you have good security. not even close). I certainly do contend that HIPAA has not benefited the security of the healthcare industry as a whole. IME, it may have very well hurt it. * - I'm speaking specifically of the HIPAA security rule and it's effect on organizations' security maturity. In other areas, like patient privacy and disclosure rules, it does seem to have had an effect closer to what is intended. |
|
|
When all is said and done it's really the organization. I don't know how many bigcorps I've been at that were just totally inept. The existence or not of HIPAA would not change their ineptness.