The headlines blaring data breaches are staggering – not only in their frequency but in the fact that they’re making noise and not resigning people to lower their privacy and security expectations in an increasingly electronic world presumably accessible by anyone.
Back in December, a data breach at one healthcare system affected 49,000 patients; another impacted more than 32,000 patients. In fact, last year alone (2013), there were more than 50 media reports of data breaches at healthcare facilities around the nation that apparently compromised the information of more than 75,000 patients – not counting the 90,000 patients of a Washington state incident, or the class-action lawsuit against a Florida health system for not preventing the theft and sale of personal and health information of 763,000 patients, or a New Jersey payer’s admission that unencrypted laptops were stolen that held information on nearly 840,000 patients.
Here we are, barely 25 years into the general public’s Internet Age (if you count the debut of the accessible World Wide Web as a strategic starting point) and we’re finding that keeping the growing amount of information private and secure online seems to be outpaced by voluntary and involuntary access to that information. Whether it involves information gleaned from onsite or off-site hacking, employee mistakes or inappropriate viewing or missing or stolen computers, a patient’s personal and health information seems more at risk than if it were kept in paper folders in office filing cabinets.
Congress passed and President Bill Clinton signed into law the Health Insurance Portability and Accountability Act (HIPAA) in August 1996 in part to facilitate electronic healthcare transactions for efficiency and effectiveness, including securing the privacy of health data. Back then, electronic data interchange was new, inspiring hope and wonder about a reformed healthcare system.
Fast forward to today with the debut of a new healthcare reform initiative, preceded by the Health Information Technology for Economic and Clinical Health (HITECH) Act in February 2009 to promote the adoption and meaningful use of health information technology while addressing privacy and security issues stemming from electronic transmission of health data via HIPAA. Despite these developments, the idea of EDI and electronic storage since has inspired fear and loathing about a reformed healthcare system at the mercy of malicious ne’er-do-wells and nincompoops.
Looking back at HIPAA’s initial passage, and anticipating the ensuing explosive development of information technology capabilities and horsepower, has the legislation’s existence really made a difference? Has it kept pace with the abundance of data? Or has it opened doors to motivate privacy and security challengers?
Health Management Technology tapped a group of security-minded information technology executives for their impressions. Here’s what they shared.
HMT: Has HIPAA lived up to its premise and promise, or is it still too soon to tell? Why?
Mac McMillan, CEO, CynergisTek, and Chair, HIMSS Privacy & Security Policy Task Force
I believe in many ways HIPAA and its complementary legislation the HITECH Act have made strides toward their initial intent and promise. I was new to healthcare in 2000, but it did not take long to realize the industry was way behind other industry sectors in its ability to exchange information, and that systems allowed parts and pieces of my medical record to exist in multiple locations – but not as a whole picture of me – and that was less than optimal for my health or the healthcare professionals who served me. Even within health systems, the over-reliance on paper records hampered efficiency, capability, collaboration, etc. Today, as a result of HIPAA and HITECH, and certainly other developments, we have a much more robust healthcare system that is capable of doing things that weren’t possible before. Have we achieved everything in terms of goals yet? No, but huge improvements have occurred in the last decade, and HIPAA can take part of the credit for that.
Barry Chaiken, M.D., Chief Medical Information Officer, Infor
I am not a HIPAA expert, but are you referring to health insurance portability or protection [of protected health information]? I am thinking the latter, as it makes the most sense but am not sure HIPAA was truly focused on privacy, and it surely could not have anticipated the rise in healthcare information technology. HIPAA surely needs to be rethought by experts to determine the correct level of safeguards to privacy while allowing for the effective transfer of PHI among caregivers to deliver high-quality, efficient care.
Rich Temple, National Practice Director, Beacon Partners
In part, I would say. The HIPAA legislation has raised general awareness about the importance of securing protected health information; however, as evidenced by the almost continuous drip of breach events, it has been less successful in actually ensuring that PHI is properly secured. For many years, HIPAA enforcement was extremely lax, but with the advent of the HITECH Act and the requirements for security and risk assessments as required core items for meaningful use, enforcement is starting to get a lot more rigorous, and provider organizations are taking notice.
With the Office of Civil Rights taking a lead role in HIPAA auditing, and the ability of district attorneys to order security audits at a local level, there is a much greater risk for providers of being found in non-compliance with HIPAA. This non-compliance now carries much bigger financial sanctions than it used to. So, we as an industry are not there yet, as far as HIPAA, but we are gaining momentum.
Sam Curry, Chief Technology Officer, Identity and Data Protection, RSA, The Security Division, EMC Corp.
Since the HIPAA Omnibus Rule took effect March 26, 2013, it serves as a glaring reminder that organizations continue to let their security strategy be guided by regulations and compliance. There is no doubt that there is still work left in trying to shift from a narrow focus on compliance with regulatory requirements to a broader goal of building trust across identities, information and infrastructure. This means not just going back to simple foundational security principles, including authentication and role-based access controls, but also tackling the challenge of new technology trends such as mobility, bring your own device (BYOD) and cloud computing.
Steve Matheson, North American Vice President of Sales, BridgeHead Software
The premise of HIPAA is that personal health information must be secure and private. It remains the only premise the market has. So while the premise is good, the delivery, specificity and probability of keeping that data secure has not been thought through enough to provide a clear roadmap. Also, the technology is imperfect.
The good news is that HIPAA is open-ended so hospitals can go in whatever direction makes the most sense for them in terms of defining how to achieve HIPAA compliance. The bad news is that HIPAA is so open-ended and undefined in terms of specific advice that it is hard to know which direction to go. Today, medical information touches not just doctors and nurses in the hospital, but billing companies and other third-party vendors, too. Many of these organizations are out of the hospital’s control. Collection companies need to have an agreement to assume liability.
So while HIPAA is good, the complexity of the healthcare ecosystem makes it hard for hospitals to be compliant. To make HIPAA work, healthcare needs all three legs: HIPAA, HITECH and Business Associate Agreements.
HMT: How prepared are healthcare organizations to handle the increased demands and information growth of the Patient Protection and Affordable Care Act in terms of data privacy and security?
Mac McMillan, CEO, CynergisTek, Chair, HIMSS Privacy & Security Policy Task Force
I think we as an industry are better prepared to meet these challenges than we were, and while I am optimistic that we will get there, I have some real concerns in this area. I worry about the smallest organizations in our community that are falling farther and farther behind due in large part to a lack of affordable resources to meet their data protection responsibilities. Last year’s audits by OCR shined a bright light on the disparity between large and small organizations and their readiness to meet privacy and security. As we become an even more connected industry, these small providers are going to represent a real risk for those that they are connected to.
Secondly, I see the whole information exchange and larger community-wide objectives being at risk when it comes to data protection unless we embrace the need for standards to support trusted interoperability. I feel confident in connecting and sharing with you when I have assurances that how you manage your enterprise is consistent from a trust perspective to how I manage mine. The way we achieve that trust environment is through standards.
Lastly, I think the government, and by that I mean HHS predominantly, needs to step up its game. They cannot continue to be the example of how not to do it when they are supposed to be the leader in how to do it. There is a reason most people have a low confidence quotient with government management of their information. Things like continued breaches by the VA, incidents like Tricare and the whole mismanaged Healthcare.gov project just undermine their credibility and ability to lead.
Barry Chaiken, M.D., Chief Medical Information Officer, Infor
Organizations just have too many moving parts: EMR implementations, changes in reimbursement and consolidation of provider organizations, to name a few. Most organizations are not prepared to handle all of this at the same time. Plus, the guidelines are blurred as to sharing PHI to facilitate patient care, while also protecting PHI. New technologies put even more pressure on these organizations. Therefore, can any organization be properly prepared?
Rich Temple, National Practice Director, Beacon Partners
Healthcare providers have quite a ways to go in order to confidently feel comfortable about security and privacy around many facets of the [Patient Protection and Affordable Care Act]. While there are positive signs as far as the recognition of the importance of security, the advent of big data, cloud storage and health information exchange across disparate providers, all are challenging providers in ways that they are not fully used to yet. These new data models all require collaboration across providers and across applications, which can make the imperative to effectively secure this data exponentially more challenging.
Roberta Katz, Director, Healthcare Solutions, EMC Corp.
Healthcare providers face the unique challenge of keeping PHI highly available, secure and private as they increase the use of IT to improve patient care delivery. Security breaches – whether the data is kept on physical IT assets or in a private cloud – can create a lack of confidence in a healthcare system and have significant regulatory implications. Although many healthcare organizations plan to conduct a HIPAA Security Risk Assessment, which is a core requirement of Stage 2 EHR meaningful-use incentive programs, there is more work to be done.
In a recent IT Trust Curve Global Study that EMC conducted, we found that:
Sixty-one percent of global healthcare organizations surveyed have experienced a security-related incident in the form of a security breach, data loss or unplanned downtime at least once in the past 12 months.
Nearly one in five (19 percent) global healthcare organizations have experienced a security breach in the last 12 months at an average financial loss of $810,189.
Nearly one in three (28 percent) global healthcare organizations have experienced data loss in the past 12 months at an average financial loss of $807,571.
Almost two out of five (40 percent) global healthcare organizations have experienced an unplanned outage in the past 12 months, losing 57 hours to unplanned downtime at a financial cost of $432,000.
Steve Matheson, North American Vice President of Sales, BridgeHead Software
Healthcare organizations are very poorly prepared. The healthcare ecosystem can be seen as a series of concentric circles. In the first and smallest circle, data is created and viewed in hospitals, and in this local use of data the hospitals are doing a pretty good job. Around that is a slightly larger circle that includes hospital clinical and business staff with their mobile devices. Both at rest and in transit, this data should always be encrypted to make it more secure. The next circle encompasses physicians in their own offices where they deal with a mix of paper and electronic data. The final circle includes patients at remote sites, such as kids at a college clinic or individuals at the pharmacy for their flu shots. As a rule, the further out the data gets, the less secure it is.
As the hospital ecosystem grows, there are more ways to create diagnostic information on patients. Every time data is created, interested parties increase. Likewise, as data becomes more mobile, that data and its viewer must go to the people. So people all over are repetitively viewing data. Another part of the challenge is that the professional environment has turned into a quasi-public one: Many hospitals have adopted a BYOD policy so employees can see the information they need to do their jobs. Even if it’s permission-based, this system is imperfect because employees are still using their devices for personal purposes and intermingling the apps.
Hospitals are struggling in this highly complex and dynamic environment to implement technologies that can keep up. In many cases, these technologies are forcing hospitals to leapfrog their current capabilities by a few generations. Often, they can barely afford the storage required to keep up with just housing all of the data that is going online. They almost always struggle and fall short in terms of purchase of the advanced data management technologies required, and recruiting and hiring the people with the experience and skill sets needed.
HMT: How do you fix the challenges you face as quickly as possible?
Mac McMillan, CEO, CynergisTek, and Chair, HIMSS Privacy & Security Policy Task Force
All of these are basic requirements of HIPAA and an information security program. So the first thing you do to address these issues is rethink your approach to information security and the priority it is being given. To effectively manage security and meet compliance requires people, technology and processes. Just having policies isn’t going to cut it. It takes a combination of technical controls, realistic processes and workforce awareness and diligence to create a security environment. Identifying the right technical controls, measuring the effectiveness of processes and workforce competence is accomplished through proper risk analysis.
After that it requires leadership evolvement to resource the program and a champion to manage it. So how do you fix these challenges right away? Conduct or have an external third party conduct a thorough risk analysis. Appoint a competent information security manager. Prioritize resources to support the program (people/technology/funding). Then provide appropriate governance to make sure it’s getting done.
In short:
Conduct a safe harbor analysis and identify gaps in data protection. Apply encryption where those gaps cannot be eliminated.
Invest in a privacy monitoring solution and audit planning that enable automated auditing and monitoring of workforce activity in critical clinical applications proactively.
Use a credible third party to conduct a thorough risk analysis with an objective lens.
Accept that you cannot track ePHI manually and invest in a data loss prevention solution to assist in locating, mapping and managing ePHI in real time.
Recognize that information security is no less complex than the systems environment it lives in today, and the person managing it has to be just as qualified as those managing that environment.
Barry Chaiken, M.D., Chief Medical Information Officer, Infor
First, identify the problems. Then, solidify your PHI sharing strategy. Once you have done that, you must develop guidelines and implement technologies that allow you to meet your goals. Just don’t jump in and address this piecemeal. It will not work.
Rich Temple, National Practice Director, Beacon Partners
Invest the time, money, and resources to do an end-to-end security and risk assessment, and don’t just look at it from a technology perspective. Look at people, processes, documentation and workflow, as well. Ensure there is an intuitive understanding of the HIPAA mandates and what the penalties are – to both individuals and to the whole organization – for non-compliance. Build detailed policies and governance structures that ensure those policies are adhered to.
Roberta Katz, Director, Healthcare Solutions, EMC Corp.
The world of data security has changed dramatically, rendering many traditional techniques ineffective and posing tough challenges for healthcare providers to prevent exposure of PHI. Simply building firewalls around the perimeter of the enterprise network is no defense against stealthy new forms of attacks. Persistent identity thieves can almost always enter and often move through systems gathering information for weeks before detection. Once discovered, the next challenge is responding fast enough to avoid loss of PHI.
We encourage healthcare organizations to take a holistic view of security management by adopting an integrated approach to governance, risk and compliance (GRC). To align appropriate security activities for maximum protection across the enterprise, we suggest integrating a security management framework into your IT infrastructure comprising:
Business governance: embedding security into all organizational structures and processes while taking into account regulatory requirements (HIPAA, HITECH) and internal policies;
Security risk management: identifying and classifying information risks and tracking risk mitigation;
Operations management: implementing security processes and controls in line with security policy to prevent risks from developing into security incidents;
Incident management: detecting, analyzing, resolving and reporting security incidents to minimize their impact.
Steve Matheson, North American Vice President of Sales, BridgeHead Software
You don’t. It’s not a money, skill or technology issue. It’s all three, plus more. This is a transformational process and challenge that will take years for most healthcare systems to accomplish. Some won’t make it through and will collapse under the weight of everything that is being required. Others will find ways to modernize and will emerge with stronger methods – and will be the long-term surviving healthcare systems.
