HIPAA is extraordinarily expensive, meanwhile healthcare providers continue to have abominable security because compliance is offloaded to a "compliance team" who comes around once in a while to check boxes without really understanding the system, which is managed by other people who don't really understand HIPAA. This is one of the reasons security in large organizations is hard. Bureaucracies gravitate toward bureaucratic solutions, but then the left hand doesn't know what the right hand is doing, which is a direct mechanism for security to get messed up.
SOX isn't really about "security", it's about auditing and so on, but it suffers from a disadvantageous trade off. Large companies are less likely to have accounting problems than smaller ones. The law was passed in response to major outliers like Enron, but basing rules on rare outliers generally results in bad rules. Meanwhile the smaller companies have disproportionately higher compliance costs, to the point that there have been proposals to exempt smaller companies. But that implies it probably isn't worth it for large companies because the rate of fraud is so low and it probably isn't worth it for small companies because the compliance costs are so high, and then there's nothing left.
Whereas NIST CSF is a different kind of thing because it's voluntary. This is where government publications can really do some good, because if they publish rubbish then nobody has to pay any attention to it and the cost is limited to the money they spent creating it, but if it's good then it's valuable to anyone who uses it. The government should definitely lean towards this method, but it's hard to call this one "regulations" -- and the criticism you're responding to was that corporations would end up "just gaming the regulations".
For small entities it is. Which, in turn, causes there to be fewer small entities, less competition, and higher prices. Which is extraordinarily expensive.
Also notice that a large part of the cost is poorly accounted for, because the way many of the non-destructed entities comply with it is by adopting cloud-hosted EMR systems that handle a lot of the compliance burden for them. Which aren't exactly cheap, but more than that they're usability fiascos that imperil patient care.
I really don't think this is true. What cost factors are you thinking of? We host lots of small HIPAA-complying businesses, and in my career I've consulted for many dozens more. As near as I can tell, there's actually not a whole lot to it.
It's 115 pages. Just training the staff to comprehend what's in it is a non-trivial undertaking, assuming people are actually going to comply with it.
It has some fun provisions, like prohibiting disclosure of certain information except where disclosure is mandatory, which means there is no "err on the side of caution" and you need staff to know exactly what the conditions are if you want to avoid breaking the law.
There are various rules about computer systems and access controls that are all reasonable and expected in a large bureaucracy but not anything a small medical practice is going to be familiar with. So they'll have someone host it for them who has lawyers on staff and pay them a premium for it. That makes it "easier" and then the expense gets accounted for as something else. But now we're back to many of these systems being proprietary and miserable, because they're specialized to the limited (and extremely "enterprise") market of customers who need HIPAA compliance, and now small entities have to deal with the daily horrors of using "enterprise software" for their ordinary work.
Compliance costs also often seem low because people aren't actually complying. But then you're creating a competitive disadvantage for companies that actually follow the law.
Yeah, if that's what you mean, this just isn't expensive. If you do a lot of consulting for HIPAA companies, you get HIPAA-trained a bunch (ie: you fast-forward through a lot of videos with an HTML5 video playback speed hack). They're not a big deal; maybe a hundred or two per seat?
It's not my impression that HIPAA is one of the more burdensome regs regimes, and this comment sort of reinforces that belief.
I feel kind of the opposite. Like the way "compliance" works in corporations is everyone has to sit through a boring training video so they can check the box that says "trained staff on regulatory compliance" when the real cost is not just watching the video but actually diligently putting it into practice. Which is pretty cheap for the companies who skip doing that part, admittedly, but if that's expected to be the method of "compliance" then what's the point of the law?
Edit: SOX, HIPAA, NIST CSF.
Government is not always bad.