How Far Does Prevention Go When Securing Health Care Data?

In most areas of health care the adage that “an ounce of prevention is worth a pound of cure” holds true. But for information security professionals in the field, the answer has not been so clear. Debate continues between two camps of researchers: one group maintains that it’s far more efficient to learn from the past and use that information to thwart future attacks; others advocate investing in preventive measures, saying that proactive organizations build a deeper understanding of both their own weaknesses and future threats.

It’s an important question. While all U.S. hospitals have taken some action to maintain HIPPA compliance, which specifies that protected health information (PHI) be protected, security threats have grown significantly as patient information moves further into the digital realm.

Four years ago, as part of the Obama administration’s move to digitize health care information, the Department of Health and Human Services (HHS) mandated public disclosure of PHI breaches affecting 500 or more individuals. Since that time more than 650 breaches have been reported, which have affected nearly 22 million patients. In each case the patients are notified, the breach is posted on HHS’s wall of shame, and in a few instances organizations have been fined. In July, for example, WellPoint was fined $1.7 million for a breach involving more than 600,000 patients. But the real costs are born by patients in lost privacy and the lasting fear of fraud. Regardless of the size, security breaches cause real harm.

These new breach disclosures provide important clues for information security specialists as well as academic researchers. Those in favor of designing security systems in reaction to past attacks posit that proactive strategies require large upfront investments and that it is difficult to know where to invest because the threats are constantly evolving. Rather than spending time, effort and money trying to anticipate every possible threat — including phantom dangers — they advise first observing attacks and then allocating security effort.

What that analysis misses, however, is that, like proactive recalls in consumer goods, investments in preventing security breaches helps stimulate organizational learning, a point for which the research literature provides some support. Rather than simply reacting to failures, proactive initiatives involve identifying weaknesses and investing in the most likely failure points.

In a study appearing later this fall, Juhee Kwon and I provide evidence that proactive security investments are more effective than reactive ones. Examining the security investment decisions and breach history of 2,386 U.S. hospitals over a five year period, we found that proactive investments were associated with lower security failure rates than investments made in reaction to breaches. Combine that with the costs of breach disclosure and security program costs and we show that proactive investments are more cost effective than reactive investments. In other words, hospitals lower their security cost while providing more effective digital protection and patients experience less harm from having their private data exposed. That’s a win-win.

Of course we should learn from our mistakes, but it is time for healthcare organizations to stop chasing the past and focus on taking a proactive stance to help keep patient information secure.