HIPAA Could Hurt, Not Help, Data Privacy and Security

By now, you have probably heard about the theft of more than 14 million dossiers on federal employees and the theft of the personal health information (PHI) of 80 million people from Anthem-Blue Cross. You may not have heard about many of the other computer security flaws and breaches that are reported almost daily.

Here are a few from the last couple of weeks:

• A vulnerability in Samsung's Android keyboard installed on over 600m devices worldwide could allow hackers to take full control of the smartphone or tablet.

• Security researchers have uncovered a flaw in the way thousands of popular mobile applications store data online, leaving users' personal information, including passwords, addresses, door codes, and location data, vulnerable to hackers.

• Macs older than a year are vulnerable to exploits that remotely overwrite the firmware that boots up the machine, a feat that allows attackers to control vulnerable devices from the very first instruction.

• Professor Phil Koopman , an expert who testified at one of the Toyota "sticking throttle" trials, detailed a myriad of defects in the software of the throttle control system and in Toyota's software development process. Michael Barr, another expert, cited a heavily redacted report that suggests the presence of at least 243 violations of the " Power of 10-Rules for Developing Safety Critical Code," published in IEEE Computer in 2006 by NASA team member Gerard Holzmann.

• The Boeing 787 aircraft's electrical power control units shut down if powered without interruption for 248 days. As a result, the FAA is telling the airlines they have to do a maintenance reboot of their planes every 120 days.

I've always assumed, as I imagine that you have, that, if any organizations could be expected to use "best practices" and thereby avoid flaws and breaches, it would be Anthem, the feds, Google, Samsung, Apple, Boeing, and Toyota. The only reasonable conclusion is that impenetrable, flaw-free systems are simply not possible and this will not change any time soon. Keep that in mind during the upcoming discussion.

The government, at the behest of lawmakers, loves to tell people what to do. Feasibility and relevance are annoying details best dispensed with. Even vocal conservatives and libertarians, who should be staying out of other people's business on principle, love to tell people what to do. These folks got together in 1996 and enacted HIPAA (in full disclosure, I testified before a congressional subcommittee on this bill before it was enacted).

Among other things HIPAA tells people what to do about privacy and security of patient data, but without much evidence that they needed telling.

I always wondered:

1. Were privacy and security a huge, out-of-control problem before HIPAA?

2. What was the evidence that existing laws regarding inappropriate release of PHI were not sufficient to induce people to exercise due diligence? If they were adequate, were they being enforced? If they were inadequate could they not have been strengthened?

3. Has HIPAA helped?

4. Do billions of signed statements acknowledging privacy policies actually protect anyone's privacy?

5. If there was an incremental improvement as a result of HIPAA, was it worth the billions that have been spent?

6. Do the penalties reduce the chances of a breach?

7.  And finally, is there any chance that the technical measures that are demanded will be effective, given the state of the art.

The approach to the first six questions has basically been one of "don't ask, don't tell," so we will never be able to judge whether the whole thing was worth the trouble or not. The answer to the last question, based on the material presented in the introduction, is: No. The technical expectations embodied in HIPAA are little more than someone's dream. There is no evidence that even the most capable, best resourced organizations in the country are capable of satisfying them (that doesn't mean they shouldn't try). A great deal of time and money could be saved or redirected to patient care if a more realistic approach was taken toward privacy and security. The magnitude and prevalence of breaches has been growing steadily. As it stands, HIPAA may actually harmful because it distracts attention and diverts resources away from those actions that might actually improve privacy and security.