A recent study found that a majority of surveyed individuals, acting as potential employees presented with a financial payment or a pressing need to help a family or friend, would violate HIPAA (see story, p. 1).^[1]

Although the authors called their findings a combination of good and bad news, some compliance officials might see only bad. However, the authors include a discussion on “steps that organizations can take to reduce the chance of security breaches” that may prove to be helpful.^[2]

At the same time, the government has declared September “National Insider Threat Awareness Month” and provided a host of strategies to combat efforts—and potential efforts—to attack organizations.^[3]

The new study, “Good News and Bad News About Incentives to Violate the Health Insurance Portability and Accountability Act (HIPAA): Scenario-Based Questionnaire Study,” was written by G. Lawrence Sanders, a professor with the State University of New York at Buffalo, and two co-authors. It was published in a recent issue of JMIR Medical Informatics.

Organizations should adopt a combination of “both preventive and deterrent controls to reduce the probability of minor and major events,” the authors wrote.

As the authors explained, preventive controls “impede criminal behavior by forcing the perpetrator to deplete resources”; these must be implemented, they said.

Compliance programs typically focus on preventive measures, because these efforts “can be implemented, and they are under the control of the organization,” the authors wrote. Preventive controls “include sophisticated monitoring systems technologies and constant attention to authentication protocols to prevent unauthorized access to buildings, software, and databases.”