EXECUTIVE SUMMARY:
Thanks to the rampant digitization of healthcare data, breaches have become commonplace in an industry that lacks advanced security practices. In this industry-wide report, those who have dealt with breaches implore others to shore up internal security practices and be transparent. As one CIO keenly notes, “we’re all in this together.”
Here’s something that may keep your typical healthcare CIO from getting a good night’s sleep: the growing list of data breach victims on the federal Department of Health and Human Services (HHS) website. From breaches affecting 500 patients to those that impact millions, it’s an extensive catalog, which shows how even the most sophisticated provider and payer organizations are susceptible to this growing threat.
The list is part of HHS’ effort to make organizations more transparent when data has been breached. It’s existence is part of the federal Health Information Technology for Economic and Clinical Health (HITECH) Act. While getting on the list is not exactly something leaders at any provider-based organization will ever want to achieve, for many, it could be only a matter of time. Even if it’s not a breach that affects 500 or more patients, the industry-wide consensus, from analysts to CIOs, is that unless an organization is aggressive in protecting its data, vulnerabilities are inevitable.
“If you don’t believe your data is at risk, you don’t know what’s going on,” John Halamka, M.D., CIO at the Boston-based 649-bed Beth Israel Deaconess Medical Center (BIDMC), says matter-of-factly.
John Halamka, M.D.
Michael ‘Mac’ McMillan, chair of the HIMSS Privacy & Policy Task Force, and co-founder and CEO of CynergisTek Inc., a health information security and regulatory compliance firm located out of Austin, Texas, says data breaches have become a near-weekly occurrence due to three main factors, all converging around the same time. The first factor is the rapid digitization of healthcare data, thanks to meaningful use and other regulatory mandates. Secondly, he notes that healthcare entities are still using manual, outdated processes for data protection. Lastly, he says, privacy and security is not the priority it should be.
“The overwhelming majority of breaches today are caused by carelessness or lack of attention to controls, or lack of attention by the organization,” McMillan emphasizes.
BREACH DATA
Statistics on data breaches are not definitive, but they are revealing. While the number of data breaches affecting 500 or more patients fell this past year by 32 percent from the previous year, the number of patients impacted by those breaches doubled, from 5.4 million to 10.8 million, according to data compiled by Kaufman, Rossin, and Co., a Miami-based accounting firm. Other studies have painted an even darker picture. The Ponemon Institute (Traverse City, Mich.) found in December of 2011 that data breaches have increased 32 percent year-over-year, with 96 percent of the healthcare organizations that were surveyed reporting that they experienced breaches during the last two years.
The most alarming report may be from security firm Symantec (Mountain View, Calif.), which looked at the top 10 sectors by number of data breaches in 2011. The healthcare industry was the unlucky “winner,” with 43 percent of the healthcare organizations reporting that they had breaches, blowing away the government industry, which was second at 13 percent.
Cost is another element, factoring into the weightiness of data breaches. According to the Pomenon study, data breaches are costing the healthcare industry an average of $6.5 billion on an annual basis. McMillan says the fine levied on an institution when they suffer a data breach is only a fraction of the actual cost.
Using an example of a breach that cost a provider organization just over $600,000 in fines, McMillan says, “More than that fine, they spent countless man hours in remediation activities, and they’ve reached a resolution agreement with the federal government that requires them to come up with a full time monitor for three years. That breach, between legal issues, resolution, remediation, etc. is probably costing them between $4-5 million.”
Infograph Data Provided by Kaufman, Rossin, & Co. and The Ponemon Institute
For a higher resolution image, click the thumbnail in the upper left hand corner above "Click to View Gallery"
ENCRYPTION FAILURE
While data breaches come in all shapes and sizes, for most healthcare leaders, the lessons learned are strikingly similar. In the case of Jim Turnbull, CIO of the four-hospital, integrated University of Utah Health Care system, the breach at his organization wasn’t even perpetrated by someone from within. Instead, a third-party organization was faulted for allowing the backup data tapes, which were being sent to a storage facility in the mountains, to be stolen.
The data tapes, which Turnbull says contained information on approximately one million patients, later turned up in the house of some small-time thieves. The data, which had been backed up, was not lost. Still, Turnbull said, the healthcare system, which had immediately begun the process of notifying patients, learned some lessons, even with the positive outcome.
“[Before the breach], there was a belief that the tapes were encrypted, and in fact they were not. So we put encryption practices into effect immediately,” Turnbull says. “The second thing was dealing with the transport contractors. We stopped sending them to the backup vault in the mountain for some time before we did a review of all the processes. With our own employees, we made it so they have to go to the vehicle and ensure the proper vehicle is there to transport the data.”
BE AGGRESSIVE
Looking back, Turnbull says one of the most important things University of Utah Health Care did in the wake of the breach was to be transparent with patients. He adds that the worst thing an organization can do after a breach is to “try and hide it.” That sentiment is shared by BIDMC’s Halamka, whose organization has suffered two data breaches over the past two years. He says it’s important for those in the industry to share and learn from each others’ mistakes.
“It’s so important for the industry to share lessons learned. We’re all in this together, and it isn’t a question who is to blame, but how does the industry get better,” informs Halamka, who has not only publicly reported the breaches to HHS and BIDMC’s patients, but also discussed them extensively on his popular health IT blog.
Like University of Utah Health Care, BIDMC’s first recent breach was caused by the error of a third-party organization. According to Halamka, a personal device used by a subcontractor ended up getting stolen from that person’s car. The device had error logs on it, and in the error logs there were patient names. This year’s breach happened when the personal computer of a physician was stolen from his desk. Neither device, he says, was procured or protected by the hospital’s IT department. This led BIDMC to make a major change.
“CIOs may not have a lot of authority, but we have a whole lot of accountability. How will you sleep at night knowing you’re responsible for any device at the Apple Store? The answer is you have to take an active approach, rather than passive,” he adds.
WORKFORCE EDUCATION
Around the block from BIDMC, Brigham & Women’s Hospital, a 777-bed hospital that is also a teaching affiliate of the Harvard Medical School, also recently suffered a data breach. It occurred when a doctor, who works at Brigham & Women’s and nearby Faulkner Hospital, lost an external hard drive in a cab that stored data on 638 patients.
Sue Schade, who is currently CIO of the University of Michigan Hospitals and Health Centers and was CIO of Brigham & Women’s at the time of the breach, says the incident taught her that it’s important to ensure your policies are in place and people are trained on it. “The number of breaches right now of a large-scale magnitude that involves security within your overall infrastructure is far less common than the small ones of laptops and flash drives,” she says. “And that latter category is really about education of the workforce.”
STANDARDS AND PRACTICES
For some, though, data breaches are complex, and involve IT infrastructure. Take the Surgeons of Lake County, Libertyville, Ill., which recently had the server hosting its unencrypted EHR data hacked, encrypted, and held for ransom. The surgeons did not oblige, and instead turned off its servers and alerted authorities. To Dorothy Glancy, professor of law and digital privacy expert at Santa Clara University, Santa Clara, Calif., this kind of breach represents more serious criminal activity.
“[The hackers] were probably pros, and not just 16-year-olds playing in their bedroom,” Glancy says. “I don’t think a single person was targeted but probably the organization, and probably for financial reasons.”
McMillan says these kinds of threats would be better avoided if better data security standards and practices—even with legislation from HITECH and Health Insurance Portability and Accountability Act of 1996 (HIPAA)—were implemented and observed industry wide. “We’re in a kind of environment where healthcare really needs to step up its game. It needs to adopt a real security standard like you see in other industries,” he says with conviction.
Mac McMillan
Of course, as Glancy and others note, it’s most important to shore up data security practices in house. In an era where the digitization of data is rampant, getting your own information procured and staff trained is critical.
“Think about the law of averages. They [providers and payers] have all this information or almost all, which can identify one person, one way or another. And they have so much data per person because of the way medicine is practiced. So yeah, the law of averages says there will be a lot of data breaches. It’s not surprising,” Glancy says.
SIDEBAR: THE 10,000 CLUB
Notable data breaches in 2012 affecting more than 10,000 patients*
Jan 25. – Howard University – 34,503 patients
Jan. 31-April 2 – South Carolina Department of Health and Human Services – 228,435
Feb. 7-Feb. 20 – Emory Healthcare – 315,000
Feb. 11 – Indiana Internal Medicine Constituents – 20,000
March 10 – Utah Department of Health – 780,000
March 16 – Our Lady of the Lake Regional Medical Center – 17,339
April 30 – The University of Texas MD Anderson Cancer Center – 29,201
*Data provided by the U.S. Department of Health & Human Services Health Information Privacy website breach notification tool.