Report: When It Comes to Healthcare Data Breaches, OCR Should “Prevent More than It Punishes”
To help prevent medical data breaches, healthcare organizations should embrace cyber insurance and better communicate with each other about security strategies, yet federal agencies also could do more as far a preventive measures, according to a new Brookings Institution report.
In 2015, 23 percent of data security incidents occurred in the healthcare industry, the highest of any industry, according to a report released earlire this year from law firm BakerHostetler intis 2016 Data Security Incident Response Report, titled “Is Your Organization Compromise Ready?" The healthcare industry accounts for a growing percentage of data breaches and over the last six years the medical data of more than 155 million Americans have been potentially exposed through nearly 1,500 breach incidents, according to data from the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR).
The new report from the Brookings Institution’s Center for Technology Innovation, titled “Hackers, phishers and disappearing thumb drives: Lessons learned from major healthcare data breaches,” examines the underlying factors that led to these incidents and the lessons that can be learned to help prevent breaches moving forward.
For the report, tresearcher and author Niam Yaraghi, a fellow in the Brookings Institution’s Center for Technology Innovation, conducted more than 20 interviews with key personnel at healthcare providers, health insurance companies and their business associates to glean lessons learned.
As has been stated before, Yaraghi’s research indicates that the healthcare industry is vulnerable to privacy breaches for a number of reasons, including the valuable information contained in healthcare data such as social security numbers and home addresses. In fact, according to an IBM 2015 Cost of Data Breach Study, the per-record cost of healthcare data breaches in $363, which is the highest of all industries.
Yaraghi also points out that healthcare services are complex and often require many different entities to have access to patients’ medical data. Even with a simple office visit, Yaraghi wrote, many different people and entities need access to the patient’s medical data, including the physician, an electronic medical records (EMR) vendor that provides software and cloud storage for saving the doctor’s notes, an health information exchange (HIE) platform that shares this data with other physicians and the insurance company.
As medical data are now being shared with many different types of entities, many employees now have access to patient records, and this extended access to medical records increases the potential for privacy breaches.
In addition, healthcare organizations often medical information for many years, and the probability of a breach increases according to storage volume and duration. And, Yaraghi asserts that government incentives led healthcare organizations to adopt electronic health records without being ready to adequately invest in security technologies.
And, he also points that the rising costs of privacy breaches, such as the high remediation costs as well the new types of cyber attacks like ransomware, have created strong economic incentives for healthcare organizations to invest in information security.
The report notes that human error is the leading cause of the majority of breaches analyzed. Along with identifying methods to reduce human error and technologies to prevent the consequences of privacy breaches within an organization, Yaraghi also examines the factors outside of an organization that can hinder privacy protection efforts.
Specifically, the report addresses policy challenges. “With the Health Insurance Portability and Accountability Act (HIPAA) is clear about the requirements to protect health data, it does not specify how to do so and is open to interpretation. HIPAA is also outdated and falls short of addressing modern cybersecurity challenges,” he wrote.
In addition, he calls attention to medical device manufacturers who “do not ensure the security of their products and instead transfer responsibility to healthcare organizations.”
Yaraghi also calls out the Office of Civil Rights within HHS for its punitive auditing process after a breach occurs, which can inhibit information sharing between healthcare organizations as well as communication with OCR.
“Most of them [organizations] mentioned that the [auditing] process is very punitive and contributes to the organizations’ reluctance to share the details of their breaches with the peers,’ he wrote.
“Furthermore, audits usually take more than two years and organizations incur significant legal fees during the process. OCR does not share the details of its findings after an audit, and thus, other organizations will not have the opportunity to learn from the experiences of their peers,” he wrote. “Sharing information about cyber threats between the healthcare industry and federal agencies, such as the FBI, is crucial in preventing breaches and mitigating their consequence. However, the punitive nature of OCR audits coupled with media scrutiny discourages organizations from sharing their experiences and concerns.”
He also notes that while OCR conducts a thorough investigation to identify the causes of a breach and then ensures that the victim organization has put corrective and preventive policies in place to avoid future incidents, the agency does not share the details of its investigations, thus there is a lost opportunity for lessons learned for other organizations.
To address these challenges in an effort to better protect patient privacy and protect organizations from breaches, Yaraghi offers a number of policy recommendations for both healthcare organization leaders and the OCR. Overall, he calls for more effective communication between healthcare organizations and also between provider organizations and federal agencies about security technologies, privacy policies and breach incidents. Healthcare organizations should use “the full potential of currently available premium platforms to better share information amongst themselves.”
OCR also should better communicate the details of breach incident audits, Yaraghi asserts as the lessons learned from each breach can prevent other similar incidents. “OCR should provide detailed reports on how each breach happened, and how other healthcare organizations can avoid similar occurrences.”
And, he also asserts that OCR “should prevent more than it punishes” and calls for the agency to conduct more random audits, not connected to a breach, would could help prevent breaches before they occur rather than just reduce the chances of a second incident. And, he suggests the establishment of a universal HIPAA certification system. “OCR should accredit certification agencies that can conduct preventive audits in accordance with OCR standards and certify the compliant organizations,” he stated.
He also has a number of recommendations for healthcare organizations leaders. He encourages healthcare organizations to prioritize patient privacy use available resources to protect patients’ medical data. “In many of the interviewed organizations, privacy breaches could have been prevented had the organizations spent enough on security technologies or diligently implemented and followed privacy policies. Healthcare organizations now have access to both the knowledge and technology that is required to ensure the privacy of their patients, and thus should use these resources to their fullest potential,” he wrote.
He also suggests that healthcare organizations to invest in cyber insurance. “To underwrite the privacy risk of healthcare organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Healthcare organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches,” Yaraghi wrote.