Working with healthcare organizations, I am constantly aware of the restrictions my staff and I must abide by according to HIPAA constraints.  It’s not really rocket science; as far as data security goes, HIPAA mandates what logically should already be in place.  Any organization that takes data security seriously will already have safeguard on the storage and transmission of data, fully tested backup and recovery procedures, comprehensive access control, and auditing tools.  I’m quite sure that most people feel safer at night knowing their sensitive medical records are safer because of HIPAA.  But it is really safer?

Like most government regulations, HIPAA dictates what should or must be done without indicating how it must be done.  There are certain key items, including uniquely identifiable user IDs and auditing, that are specifically identified as “Required” by HIPAA, but the standards for these mechanisms is not further defined.  For many other elements, entities governed by HIPAA are required to take measures that are “reasonable and appropriate”, leaving much room for interpretation.  And it’s that gray area that makes me question the effectiveness of regulation as a whole.

For me, reasonable and appropriate security measures include a need-to-know policy for data access, encryption at every leg of in-transit data, a fully anonymized data set (no live data) for testing and training, and desktop access procedures to prevent inadvertent unauthorized access.  However, because regulations are largely subject to interpretation, one cannot be absolutely sure that these measures are being taken to safeguard sensitive data.  I have worked with a number of vendors who properly insist upon abiding by the best-practice implementation, but there are still many shops – and even some large organizations – that only do the bare minimum to avoid fines from the feds.  I know of one large software vendor which has a standard practice of rolling out their entire live environment, complete with sensitive personal information, to the training and testing environments where auditing is minimal if not completely absent.  I dealt with a small shop recently that was receiving most of their data on a standard unencrypted FTP server.  Interestingly enough, when I challenged their technical person that the FTP server was not secure, she told me “No, it’s pretty secure here.”  Pretty secure?  What, secure as in it’s locked up in your server room?  And though it’s difficult to prove or audit, I suspect that the exchange of sensitive information is done via e-mail much more often than people acknowledge.

Fortunately, in all of the cases I’ve found in which I found a potential vulnerability, I was able to strongarm the parties involved by waving the HIPAA security rule flag – even though there may not have technically been a violation of regulations, the suggestion that a high-profile breach was possible was enough of an argument to force a procedure change.  Still, when I think about all of the places over the years where I may have left sensitive data, I can’t help but wonder how seriously those places are in terms of security?  Are they as stringent about security as I am, or do they have the kind of lackadaisical attitude about data protection that keeps people like me up at night?

I’m curious – since most of my regulatory experience revolves around HIPAA, I’d like to hear from those who regularly deal with SOX or similar legislation.