When it comes to preventing a healthcare data breach, what is more important, technology or compliance? This is a conversation that has been debated in HIPAA compliance circles for quite awhile now and where you fall in the argument seems to have a lot to do with the title before your name. Of course compliance and privacy officers are going to say compliance, nurture; where information security is going to say technology, nature. Jeremy Henley at ID Experts has a great article about the balance needed.
The answer to the question, in my opinion, is that they need to be balanced equally to truly create a defensive position against the risks from a data breach. Currently they appear to be tilted heavily toward the technology that aims to prevent breaches. Organizations need to accept that a breach will occur and work toward minimizing the losses. By losses I am referring to the records, as well as the reputational exposure and outcome of a potential Office of Civil Rights (OCR) investigation. Rarely, in my experience, do organizations fully appreciate the risk of a breach prior to one occurring. If the budget were balanced between compliance efforts and technology to support these efforts versus technology now and compliance if we can afford it, the damage would be less.
Just like the nature versus nurture conversation, I think it is a balance of the two. Without one, the other is less effective. But I agree with Jeremy, many organization do not appreciate the risks of a healthcare data breach until it’s too late.
You can read the full article here “Is technology or compliance more important in terms of minimizing the risks?”