HIT Security: Conclusions in a “Contradictory Report”-Sandwich?
The Ponemon healthcare study, the Second Annual Benchmark Study on Patient Privacy and Data Security (sponsored by ID Experts), has been gaining quite a bit of attention in the press and in the blogosphere over the past few days.
Overall, it's an interesting report (as most Ponemon reports are). And I for one am pleased that folks out there are interested enough in the intersection of HIT and security to go out and read it... even more pleased that so many people find the topic interesting and valuable enough to write about it.
But all that being said, there's something about it that's leaving me scratching my head.
And I don't mean to call into question the value of this (excellent) document... but let me walk you through what I mean so you can see what I'm talking about.
First, hold in your head for a minute the very dire picture of HIT security as reflected by the Ponemon survey.
Results that we can be reasonably confident in, by the way, since they're reflected independently in other data collected on the same topic.
So security in HIT sux, healthcare security's the devil, etc. Got it? Good. Put a pin in that for a minute...
Now go take a look at what providers are doing and spending in security. We can do this because the HIMMS Security Survey tracks it for us - using the same measuring instrument as Ponemon (a survey of those in healthcare).
Now, a close-reading of the HIMMS reports can tell us a lot about what's happening behind the kimono at providers and how/what they're doing from a security standpoint. Take a look, for example, at the recently-minted 2011 Security Survey, but also as a backdrop - and a baseline - last year's as well.
While a lot has remained unchanged year-to-year, there are a few trends that the survey calls out:
- Increased security budget for two years running (2011, page 4 - 2010, page 4)
- Decreased use of user-dependent access-gating security controls [implying increased use of automation] (2011, pages 11-12)
- Better detection of security incidents (2011, page 15)
- Increase in encryption overall [though desktop encryption remained constant] (2011, page 19)
- Increased use of - and derived value from - audit logging (2011, page 14)
- More providers using IDS (2011, page 14)
- Decreased incidence of medical identity theft (2011, page 20) [Note: compare the HIMMS 35% decrease of medical identity theft to the Ponemon survey's cited 26% increase... Not sure what that's about.]
These are all positive things -- at least according to traditional wisdom.
So what's up with that? Can it be the case that investment is up, security controls are more prevalent, but yet derived value is down? I'm not sure I buy that.
Yes, yes... spending is not a reliable metric of effectiveness (if it were otherwise, our cable company would be exemplary). But surely, we'd expect more spending plus more controls to equal better security? Right?
Unless the barometer that the Ponemon study uses (i.e. breach disclosures, breach impact) are actually indications of better security overall, instead of worse. Could it be the case that data breaches are on the rise because we're finding them more? Because we're looking for them since not doing so violates federal law?
Could it be that the cost to respond to breaches is up because we're doing more about it when we find them? Those things also explain the Ponemon data, but make more sense in light of the HIMMS report.
Now, I'm not arguing with anybody's conclusions here... I'm the first in line to say that security in healthcare sucks on ice. All I'm saying is that there are only three conclusions we can draw:
- One of the two surveys is inaccurate or an outlier [unlikely]
- The two surveys suggest that value per security dollar invested is on the decline industry-wide [also unlikely]
- The two reports are saying the same thing -- but instead of the conclusion that security is on the decline dismal, the data points in the Ponemon report actually reflect positive outcomes instead of negative ones. I'm going to suggest that this one is Occam's Razor.
Or maybe something else entirely? Meh... just my opinion.
Cross-posted from Security Curve Weblog
Image Source: bored.com