The reaction was predictable.
A hack attack against a Virginia database has doctors refusing necessary prescriptions, legislators threatening to blow up a $2 billion contract, and reporters wringing their hands over the dangers in health IT.
This happens regularly, whenever a secure database is compromised. It doesn’t matter whether the hacker uses the data or what their motive was. The fact it was accessed sets off alarm bells and can destroy companies.
Not that some concern, and firm action, aren’t warranted. Credit companies have become far more vigilant in their treatment of customer data as the result of recent scandals.
This is good news. But the credit card processing system hasn’t been taken down, and no one has questioned the need for computers to process credit cards, as a result of these breaches.
This is not true in health care. Each report of a breach is seen by some doctors as a great excuse to reject computerization entirely.
Part of this is the nature of the data. Private health records should be private.
But part of it is also paranoia, and it’s this which needs to end.
Accidents will happen. Hack attacks will happen. Neither HIPAA nor any other law demanding that health data be kept safe will prevent this. Criminals will try to take advantage of these breaches and blackmail people.
Bruce Schneier has been following this trend for years and calls the HIPAA paranoia ridiculous, given that the law was gutted by a 2005 Justice Department ruling. The concern is basically crocodile tears. (Above, the cover of Bruce’s latest book. Get it at Amazon.)
So let’s admit that. Let’s establish procedures under which all breaches can be investigated, and perpetrators prosecuted. Let’s work to make computer security a global crime, one every country takes seriously. Treat these incidents as break-ins and put those who commit these crimes in jail.
Then let’s move on to do what every other civilized nation has done, namely bring our health records into the 21st century.
