In the ever-changing world of healthcare IT, it can be hard to ensure that sensitive data remains adequately protected. HRMR asks what risk managers need to do to mitigate the ever-present threat of data breaches—and what to do when, despite your best efforts, a breach occurs.
In the rapidly changing world of data security and electronic health records (EHRs), it can be hard to ensure your organization continues to comply with the rules laid down by the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH).
The US government’s mandate that healthcare providers transition to EHRs within two years or face penalties has escalated the pace of change, making it vital to make informed decisions when deciding where best to invest time and money in order to keep EHRs adequately protected.
“Most IT and risk managers understand the big picture for security and we tend to get a bit carried away wanting to do it all,” says Chris Hourihan, principal research analyst for the Health Information Trust Alliance (HITRUST), which has published its analysis of US healthcare data breaches from 2009 to the present.
“The challenge is effectively implementing a program given the resource and budgetary constraints of IT and compliance in healthcare organizations. To do this, one must identify the control areas where they’re going to get the greatest risk reduction return on their investment.”
Hourihan says it makes little sense to focus on business continuity if your organization is not encrypting laptops, desktops and removable media. With more than 25 percent of breaches involving lost or stolen laptops, and more than 50 percent of records breached involving lost or stolen removable media such as USB drives, risk managers have a clear case they can make to senior management for where security dollars should be spent and the value they will receive from that spending.
Some major security improvements can actually be achieved with minimal expenditure. Alan Brill, senior managing director for cyber security experts Kroll Advisory Solutions, advises his clients to pay close attention to their use of passwords to protect private information.
“People have come to realise that a password is perhaps not enough protection for something that’s highly sensitive, partly because people choose stupid passwords. The number one most popular password is ‘password’. I hate going to management and saying it didn’t have to happen—that this incredibly complicated and expensive exercise you’re going through could have been prevented if you didn’t let people use ridiculous passwords.”
Brill recommends giving staff advice on how to create more secure passwords. “A good way to create a password is to take a favourite song and use the first letter of each word of the first line or two of the song because you can hum it to yourself and type it in,” he suggests.
Brill warns that a major weakness in many systems is the password reset function, designed for use when individuals have forgotten their password.
“The online password reset feature usually asks you your security questions. The problem is that sometimes the questions that you choose are public information—so one thing we tell people is that when you’re setting up these reminder questions you are not under oath—you can lie as long as you can remember the lie.”
A growing security issue is the use of cloud computing, whereby data is stored by a third party and staff are able to access the information remotely. While this has clear benefits in terms of convenience, it is important to ask questions about the security and physical location of the data stored in the ‘cloud’.
“You need to ensure that the liabilities are understood,” says Brill. “If the third party screws up, who is going to pay? Your patients don’t want to know about third party.”
Fortunately a number of companies have now started to offer appropriate cloud services. One example is Verizon, which launched its HIPAA-compliant cloud services last autumn.
“We are bringing to market a suite of cloud services that enables healthcare providers to secure patient data while offloading the burden of building and managing their own data centers,” says Dr Peter Tippett, chief medical officer and vice president of Verizon’s health IT practice.
In addition to ensuring your cloud provider meets HIPAA requirements, it is important to address the issue of how staff access data stored in the cloud. The Ponemon Institute’s third annual Benchmark Study on Patient Privacy and Data Security found that 81 percent of healthcare organizations now permit employees to use their own devices. It also highlighted a problem: many organizations admit they are not confident they can make certain these devices are secure and that patient data in the cloud is properly protected.
The good news is that the problem can often be addressed without huge expense. “A significant percentage of cases where there is an actual data breach were preventable without extreme measures,” says Brill.
“The kind of things that we see are failing to have good anti-malware in place that’s regularly updated—that’s not going to stop everything but it is going to help. We see that particularly where practitioners are working at home with their own computers to access a medical record, or an MRI image, for example. That level of protection has to be there.”
A good way to check whether you have adequate defenses in place is to put them to the test. Brill’s team are frequently called in to conduct penetration testing, whereby they challenge a hospital’s IT defenses to see how they hold up.
“We’ll go into a hospital and our guys will attempt to get on to their network. We’re looking to see whether their defenses are reasonable. We also do testing from within where we will access their network from inside the organisation and see what we can get.”
However strong your defenses, it is likely that your organization will experience data breaches. The extent of the problem is highlighted by the Ponemon Institute’s study, which found that 94 percent of hospitals surveyed had suffered data breaches. The question is, what will you do when it happens? Losses from a single breach can run into millions of dollars so it’s not surprising that an increasingly large number of healthcare organizations are seeking insurance solutions.
“Awareness has grown significantly in the last three to five years,” says Thomas Srail, senior vice president with the cyber and E&O team for Willis North America. “It’s not mandatory insurance coverage but many companies—I would estimate about 50 percent of hospital organisations—buy cyber insurance which means they have evaluated it, assessed it, understood the risk and taken steps to purchase it. About 70 percent of private health insurance companies have gone through an analysis process and have opted to purchase cyber insurance.”
CHECK THE SMALL PRINT
Cyber insurance can ease the costly business of dealing with a data breach, but it is important to check the small print of any policy, particularly if you want to have the freedom to notify patients of a potential breach even when there is no legal requirement to do so.
“Under the HIPAA/HITECH final rule every event is going to be presumed to be a breach, so the question is, do you need to notify? We find most organizations want to notify so that they are not looked at after the fact as having covered something up,” says Kimberly Holmes, deputy worldwide health care product manager for specialty lines at the Chubb Group of Insurance Companies.
“A lot of organizations want to notify their patients that they’ve taken the necessary steps to make sure everything was locked down and that, from everything they can determine, there was no access to that information. However, not every insurance product on the market will support and pay for that choice. If there is any language in a product that says the carrier has to approve or that the carrier will pay for notification only if it’s required by law then the covered entity really doesn’t have full discretion to make those decisions for itself.”
It’s important to check these details because the uncomfortable truth is that whatever safeguards you put in place, the risk of a breach never really goes away.
“An important thing that risk managers realise is that there’s no way to eliminate the risk,” says Srail. “As long as you have sensitive data on your patients that you’re handling, processing, saving and storing, there’s the danger that it could get out.”
Brill agrees. “If you accept that you could be the next victim then thinking about what to do when something happens becomes a lot more real,” he says. “Make plans such as having contracts in place for notification, for call centres, for forensics. If something happens, the organizations that have made plans are not wasting three-quarters of the available investigative time trying to negotiate contracts.
“Those who do regular exercises, have their people well trained and aware about these problems, when something happens they’re the ones that get through it a lot better—and at the same time because of their awareness they tend to be less likely to be victimised because they keep their defenses in place, so it’s a double winner.”
cyber liability, risk management, EHRs, HIPAA, HITECH