From cloud computing to bring your own device, everyone in healthcare is talking about data security. But, spurred on by the HIPAA/HITECH omnibus final rule, government incentives and widespread technological advances, healthcare organisations must get better at data protection, says HRMR.
The security of patients’ personal information is a long-running concern for healthcare risk managers but as healthcare providers make the switch to electronic health records (EHRs), the nature and the magnitude of the risk is changing.
To comply with the rules laid out in the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), healthcare providers need to keep pace with changes in the way that sensitive information is stored and accessed.
Chris Hourihan, principal research analyst with the Health Information Trust Alliance (HITRUST), says that electronic breaches of protected health information (PHI) now account for 70 percent of breaches, compared to only 26 percent for physical. “As the industry continues to move to EHRs and gets rid of paper, we expect the number of reported breaches involving paper records to continue to decline,” he says.
Alan Brill, senior managing director for cyber security at Kroll Advisory Solutions, agrees. “We’re going to be in the position where a greater proportion of healthcare information is going to be located on a computer,” he says. “The medical students, the nursing students who are being trained now are going to be trained using the new tools and that’s what they’re going to expect to use.”
RACE TO COMPLY
The move to EHRs is being driven by the government’s electronic medical records mandate, which comes with a sting in the tail: healthcare providers that do not meet the deadline of 2015 will face penalties in the form of reduced Medicare and Medicaid payments.
Besides the need to keep up with government requirements, the switch to EHRs undoubtedly makes life easier. Electronic records facilitate the sharing of important data, both for the benefit of the individual and for wider research purposes—but with the added convenience comes a whole host of security risks.
Foremost among these is the fact that huge quantities of confidential information can be stored on portable devices such as laptops and USB drives. The loss and theft of such devices is the leading cause of security breaches, according to research by HITRUST. The use of mobile devices also raises the question of cyber security.
According to the Ponemon Institute’s third annual Benchmark Study on Patient Privacy and Data Security, 81 percent of healthcare organizations now permit employees to use their own devices—commonly called bring your own device (BYOD)—to access organization data. But 54 percent of organizations were not confident that these personally owned devices were secure.
Similar uncertainty surrounded the security of the cloud-based services many of these devices are used to access. In cloud computing, data is stored by a separate organization, and employees are able to access the information remotely. While 91 percent of hospitals surveyed for the Ponemon Institute’s report are using cloud-based services, 47 percent of organizations lacked confidence in the data security of the cloud.
This mistrust may be well founded, warns Brill, who says that in some cases the physical storage of ‘cloud’ data will not be adequately secured, and may even occur in a country with very different laws and regulations regarding data protection.
Following January’s HIPAA omnibus final rule, which extended the HIPAA laws around data storage and processing beyond healthcare organizations to their business associates and their partners, this issue has taken on added importance.
CLOUD STORAGE
Dr Peter Tippett, chief medical officer and vice president of the Verizon Innovations Incubator, which provides HIPAA-compliant cloud computing and data storage, has seen an upsurge in demand for these services in the wake of the final rule.
“The new rule extends the problem out well past the hospital itself,” he says. “Now even if you just store the data you clearly have to deal with the HIPAA rules.”
Verizon offers a popular solution in the form of its specially tailored data centers. “We took two of our Verizon Terremark data centres and we documented and organized all the physical technical and operational controls and created a business associate agreement that we would sign with anybody who kept their data there or did their processing there,” he says.
These days it’s not only data storage which can be outsourced: some healthcare organizations give the handling and saving of credit cards over to another company.
This type of outsourcing can give a false sense of security, says Thomas Srail, senior vice president with the cyber and E&O team for Willis North America. “It’s fine until that company suffers a breach. Your patients didn’t go to that credit card processing company for business, they came to you. You’re still going to be liable.
“You can outsource the operation of a lot of business processes: backing up, offsite storage, card processing, claims processing—but you can’t necessarily outsource the liability.”
Who are the individuals who gain unauthorised access to patient data? HITRUST found that 23 percent of them are insiders, the majority of whom are acting without malicious intent. However, there has been a sharp rise in the number of hacks, up from its average of 6 percent to 17 percent in the second quarter of 2012.
The major motivation behind such attacks is identity theft. “Those folks are going for social security numbers,” says Srail, “The other financial motive is credit card numbers, but we’ve also seen high profile cases where people are interested in looking at the medical information of a resident celebrity, for example.”
The bottom line is that the information in individuals’ EHRs has financial value to the perpetrators, many of whom use the Internet as a vehicle for selling on the information to a third party. The consequences for the individual can be devastating.
“Medical identity theft is the fastest growing identity theft crime in the US. It has the potential to impact individuals’ credit and finances as well as pose a serious risk to their health and safety if their EHR is compromised,” warns Rik Kam, president and co-founder of ID Experts, who sponsored the Ponemon study.
COSTLY MISTAKES
A data security breach can also have serious—and costly—consequences for the healthcare provider. In the days before privacy breach notification laws and HITECH, it was common practice for organizations to avoid the panic and embarrassment caused by a data breach by simply covering it up.
Before the state of California passed the first breach notification law in 2003, roughly 10 to 20 companies a year went public regarding data breaches. These days the figure is closer to 3,000.
Associated costs include paying for credit monitoring services for individuals whose information has been breached; setting up a call centre to handle calls relating to the breach; tackling PR surrounding the breach; and dealing with lawsuits from individuals whose records have been breached. Costs can run into millions, so healthcare providers are increasingly sitting up and taking notice of the threat.
The need to comply with federal legislation, such as qualifying for meaningful use incentives in the 2009 American Recovery and Reinvestment Act and conducting a security risk analysis as required by the 2005 HIPAA security rule, has significantly changed how hospitals and physician practices look at and monitor information security practices.
Add to that January’s HIPAA/HITECH omnibus final rule, which extends responsibility for data security to business partners and stipulates that every security event be presumed to be a breach, and the result is that a lot more money is being spent on data security and breach notification.
The added security focus is also being driven by incentives. The 2012 Healthcare Information and Management Systems Society (HIMSS) security survey found that with new focus on qualifying for incentives provided by the Centers for Medicare & Medicaid (CMS) EHR Incentive Program (meaningful use), healthcare organizations have further stepped up their emphasis on security of patient health data, and more organizations are conducting an annual security risk analysis.
But there is still much room for improvement. For instance, less than half (43 percent) of survey respondents reported that their organization tested their data breach response plan.
“A customized data breach response plan is as important as preventing breaches in the first place,” says
Michael Bruemmer, vice president for Experian Data Breach Resolution, which underwrote the HIMSS survey. “The sooner the industry embraces the need to put a response plan in place, the better.”
THE WEAK LINK
Other studies, such as HITRUST’s analysis of US breach data, have found further areas of weakness.
“What concerns us is the lack of progress in mitigating the principal types of breaches that have been reported since 2009,” says Hourihan. “Lost and stolen laptops, mobile media and paper records quickly became the leading cause of breaches and they remain so.”
An area of particular concern is the smaller physician practices, where HITRUST has seen not just scant progress, but no progress at all. From 2010 to 2011, physician practices experienced a 0 percent change in the number of breaches, and for 2012 HITRUST expects a 12.5 percent increase (compared with a 14.5 percent decrease for hospitals and a 13.6 percent decrease for health plans).
“It’s no secret that many of these practices lack the expertise to manage security and lack the budgets to fund improvements,” says Hourihan. “Until we can make security and compliance a no-brainer for practices and offer these solutions cost-effectively, or we start seeing an increase in fines and penalties, it’s highly likely the trend will continue.”
He says a further consideration is that these small practices are increasingly connecting with larger organizations to share patient information. Many regional hospitals are partnering with local practices to create more seamless visits for patients—so all of their information is available to both parties.
“Unfortunately this presents a major exposure to the large organizations where we have been seeing progress for security,” he says. “Many of these small practices that don’t have firewalls, anti-malware, or adequate physical protections to prevent theft are exposing their partners to direct breaches of patient data.”
With the current trend for acquiring physician practices, it’s clear that hospital risk managers will increasingly face the challenge of ensuring that data security is at the required level in newly acquired practices. But what can be done to ensure that PHI is as safe as possible? Turn to page 48 to discover the data protection strategies that work.
cloud computing, bring your own device, BYOD, risk management, EHRs
