Information security with electronic healthcare information is often discussed (not here) behind closed doors with lots of whispers. The state of information security in the healthcare space varies, but most insiders agree it is in conflict. Dismal even. Yours truly even took down an entire hospital’s printing network because they were running a super-duper-pooper vulnerable print server that just happened to get popped when doing what should have been innocent scanning.

Eye Eye, by mrmanc

Security in many industries starts with compliance, but even that’s not working. HIPAA has been around for fifteen years—and its follow-up act(s) less than five—but we are constantly playing catchup. The results of a 2006 (yes five years old) survey showed that HIPAA had the lowest compliance rates among popular initiatives at the time (PCI was not listed, see The Complying Game by Allan Holmes [Cio, 20(13), 40-48.]), and while the information is dated, I believe it doesn’t even paint the whole picture.

Some of this has been muddied by a term called “meaningful use,” which include financial incentives for certain organizations to beef up their IT systems—including, in theory, their security. Unfortunately, it seems like good information security practice still sits just beyond many healthcare company’s reach because of how technology is deployed and used, and the lack of enforcement required to really move the needle forward.

This post originally appeared on BrandenWilliams.com.