The American Recovery and Reinvestment Act of 2009 (aka the stimulus package) included funds to both implement electronic health records and rules to specifically improve personal health information breach notification rules. It’s ironic, then, that the rush to digitize personal health information didn’t include implementing security.  A recent survey of IT managers involved in healthcare revealed that 80% had suffered at least one incident or more of lost or stolen health information over the past year. More tellingly, most still have no support from their senior management to fix the problems.

It's not that the costs of a breach don't have sufficient teeth. Heartland Payment Systems has incurred over $12.6 million in fines, penalties, and other costs associated with their breach of credit card information. And while that's a different industry and a disproportionately massive example, the breach penalties and notification requirements between PCI and HIPPAA are not dissimilar. According to this health information study, the costs of a compromised health information record exceed $210 per instance. That can obviously add up quickly when a database containing thousands of records has been exposed.

So what's the problem, then? One huge one is that developers still don't have a good understanding of security. Most have heard of Cross-Site Scripting, for instance, but they've never seen it exploited. And when you don't understand the problem, it's hard to convince budget and time constrained managers that the costs to fix the problems are ultimately reasonable. Until the ease with which data breaches occur are understood, vendors are going to continue to play a dangerous game by not fixing the problems. There is a proven need for upgrading our medical systems to be both more cost-effective and to provide better overall health care. But security needs to be a part of that prescription, too.

http://www.informationweek.com/news/healthcare/security-privacy/showArticle.jhtml?articleID=220700395