Compliance isn’t security, but companies still pretend it is, according to survey

It has become a cliche in information security: Compliance is not security.

But there is still an unsettling amount of denial out there, based on a recent study from HIMSS Analytics and Kroll Advisory Solutions.

According to the 2012 “HIMSS Analytics Report: Security of Patient Data,” increasingly strict regulation and increased compliance from providers haven’t slowed an increase in breaches over the past six years.

Yet, respondents to the survey, which included CIOs, compliance officers and HIMs, expressed confidence that they are better prepared for attempted data theft — in spite of evidence to the contrary — because they are in better compliance with regulations like the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

This is the third of Kroll’s biannual survey of healthcare providers nationwide.

Along with numerous other security experts, Brian Lapidus, senior vice president for Kroll Advisory Solutions, says being in compliance with policy prescriptions is not the same as actually protecting personal health information (PHI).

The results of that are predictable. The number of organizations reporting breaches went from 13 percent in 2008 to 19 percent in 2010 to 27 percent in the past year.

The financial risks of PHI breaches are expanding as well. Not only are there the expenses of cleaning up a data loss, but attorneys nationwide are watching a number of class-action suits in California, where a law that provides for $1,000 in damages per patient, per breach, has prompted a flurry of class-action lawsuits against healthcare corporations where the potential liability is as much as $4.5 billion.

The survey findings one why compliance is not enough are familiar to security professionals as well. First is that human error, not policies, systems or organizational flaws, pose the greatest risk for a data breach.

Sarah Flanagan, a partner at the California-based law firm Pillsbury Winthrop Shaw Pittman LLP, one of the firms defending healthcare corporations against the class-action suits, says, “when you analyze privacy breaches, you find frequently that they are caused by human error — a (single) human, rather than the organization.”

This, despite that most companies drill security policies into their employees — don’t take home laptops or thumb drives; don’t have confidential information on your screen when you’re doing some work at a local coffee shop; don’t even leave your desk at work with confidential information on the screen. Another predictable finding is that the exploding use of mobile devices increases the risk of breaches. All experts agree that the more accessible data is to more parties, the greater the risk of breaches.

Flanagan says there is a natural tension between expecting information to be remotely accessible while at the same time expecting 100 percent security. “I don’t know if people appreciate that tension,” she says.

But, the survey did some organizational flaws as well, specifically in confusion over who is really responsible for data security. The respondents’ answers ranged through CIO, CSO, CEO, HIM and chief compliance officer.

Still, no matter who is in charge, security depends on accountability at all levels. It is the dozens, hundreds, perhaps thousands of employees who have to understand that there will be consequences for security policy lapses. If there are consequences for a lapse, even if it does not result in a breach, that will make bad events less likely.

“It’s all part of putting teeth into compliance,” Flanagan says.