Breaches in healthcare vs. finance: unpacking the data

Posted by in Analysis on Aug 13, 2010

So, if you pay attention to this stuff, you may have noticed that recent studies show that healthcare breaches have outpaced financial services incidents.

That’s an interesting piece of data in and of itself (I tweeted about it the other day).  However, I think we have to be careful about how we interpret this data.

For example, I think that Art Gross is right in saying that EMR’s/EHR’s are likely to increase breaches over time. His analysis: interesting and worth the read.  But it’s important to keep an eye on the when of what he’s laying out: EHR adoption is still very much future state.  Most of us in the trenches are dealing with tactical stuff like cleaning up the ridiculous mess of applications currently deployed, and just getting ready to lay the groundwork for the fancy stuff.

In other words, I don’t think EHR adoption is responsible for what we’re seeing in this upswing.  No question that it will be huge in the future.  But I don’t think it’s started yet.  Instead, I think changes to the reporting requirements are driving the upswing.  In other words:

Breaches in healthcare remain constant, it’s reporting that’s increased

What do I mean by that?  Consider: when did HITECH breach disclosure go into effect?  Ding ding ding ding….  That’s right, 180 days of enactment of HITECH, which was February 2009.  Now when is the date range in the study we referred to earlier?  January 1 2010 – mid year 2010.

Coincidence?  I doubt it.

Here’s my question.  Has something fundamentally changed about the way healthcare operates in 2010 to cause a ZOMGBBQ spike in breaches?  I’m a firm believer in Occam’s Razor – that the most likely explanation is usually the right one.  And what’s most likely?  All these breaches were already happening… they just didn’t get disclosed.

I’ve been saying this for a long time now.  Yes, state breach disclosure laws require disclosure when PII is put at risk.  But, for providers, PII != PHI.   You can argue about the extent to which this is/isn’t true,  but providers usually don’t see the two as the same. But the HHS is another story – the HHS saying “thou shalt report it” carries enough weight that folks are actually toeing the line.

Keep in mind this is all anecdotal – I have no studies that prove or disprove what I’m asserting here.  But just looking at what goes on inside of hospitals/health systems, that’s what I’m going with.

Search
TwitterRssFacebook