Because of the mandatory breach notification requirements of the HITECH Act, reports of material data breaches have become somewhat commonplace. While each incident is a serious matter and the penalties can be significant, unless the breach involves a famous person or a record-breaking fine, these stories rarely raise an eyebrow. However, as an industry, we must not let the frequency of such incidents lull us into complacency.
In fact, we know the common causes all too well: the lost or stolen unencrypted laptop, endpoints left unsecure in a bring-your-own-device environment, lack of enforced policies and procedures, and unintentional human error or employee negligence. Additionally, many information technology departments trying to keep their proverbial heads above water might view safeguard investments in electronic protected health information, or ePHI, as low priority. This is especially true when other high-visibility projects demand their attention. As we know, making information more secure simply does not bring in revenue and, frankly, can make the system harder for harried clinicians to use.
Yet, the growth of health care data from electronic health records, patient portals, mobile devices and other technologies has led to the accumulation of more sensitive electronic information. It has also spawned the distribution of that information throughout the enterprise and across the community, thereby creating new risks to ePHI.
Against this backdrop, several industry influences are shaping security and privacy. Regulatory enforcement is strengthening, and it's creating a higher likelihood of financial sanctions for those organizations that do not mitigate risks. Industry competition also has raised a business interest in managing the patient perception of securing data, which is significantly impacted by sensationalized events and high-profile data breaches. Moreover, meaningful use incentive dollars and eventual penalties are tied to the completion of risk management activities, such as performing a security risk analysis and implementing reasonable and appropriate security measures.
Numbers Don't Lie
Given these pressures — and with some 30 million patients having been affected by data breaches involving 500 or more individuals since 2009, when large breach reporting requirements went into effect — one would assume the time has come for the industry to step up its information security game. But the statistics tell a different a story.
A 2014 study by the Ponemon Institute found that 90 percent of health care organizations have experienced at least one data breach within the past two years, with 38 percent reporting they had had more than five. The multiple offenses suggest the importance of performing thorough and frequent risk analyses to identify and address vulnerabilities. Even more disturbing, this same study reports that criminal attacks on health care systems have risen a startling 100 percent since 2010.
Another study of all data breaches in 2013 by the Identity Theft Resource Center found that the health care sector suffered the highest number of attacks last year, outscoring the business sector for the first time in nearly a decade. Granted, the health care number may be distorted due to industry regulations that call for public disclosure of large breaches, but this is surely not a list one ought to feel comfortable topping.
Also troubling, a 2012 Ponemon Institute study on patient privacy and data security suggested that 69 percent of respondents' IT security and/or data protection activities did not include the security of FDA-approved medical devices. This mirrors a growing concern that our information security and risk management consultants are seeing in their work.
Additionally, while the numbers can vary by study, it appears that upward of 90 percent of health care organizations permit employees and clinicians to use their own mobile devices such as smartphones and tablets to connect to a provider's network or enterprise systems. The bring-your-own-device trend has further complicated the challenges of protecting sensitive ePHI, while increasing the risk quotient for provider IT and compliance departments. With mobile devices continuously blurring the lines between our work and personal lives, all too often we read about the well-intentioned employee who shifts data from a work device to devices or systems outside the safeguards and controls of a secure network. This is the definition of disaster waiting to happen if strict policies and procedures are not in place to govern bringing your own device.
Warding Off Danger
As health care organizations face increasingly complex federal, state and regional privacy and security regulations along with corresponding fines, Health & Human Services doled out penalties ranging from several thousand dollars to well over $1 million per incident in 2013. And the bucks don't stop there. Given legal and breach investigation fees, costs for providing free credit monitoring services to impacted parties, staffing hotlines to handle inquiries, and a host of other miscellaneous damage control steps, the Ponemon Institute estimates the average economic impact of a data breach in health care to be about $2 million.
Providers that do not have their privacy and security house in order also can get tagged with meaningful use noncompliance violations resulting in reduced reimbursements and lost incentive payments. And, perhaps, more difficult to quantify is the diminished patient loyalty and poor public image that can result from high-profile cases.
Our organization, like others, provides security consulting services. With so much at stake and new information security threats constantly evolving, a key piece of advice our privacy and security consultants offer providers is this: "If you are engaging our services as only a function of ‘checking the box,' you will remain at risk." Compliant is not always secure.
Indeed, safeguarding ePHI against unauthorized use and disclosure requires constant vigilance and a comprehensive, enterprise-aligned program for information security risk management. This includes a collaborative and integrated security technology framework, experienced and credentialed resources to operate that framework, and adherence to formal procedures and established best practices to ensure the efficacy of operations. If you want to enhance your information security posture, consider the following actions:
Develop a comprehensive risk management program and execute against it. In a security consulting methodology such as ours, a three-step process can metaphorically create a shield of protection for providers. The first step is to design the shield by performing a series of risk and threat assessments — a starting point for developing a broader, long-term security and privacy program. Next, thicken the shield by implementing administrative, physical and technical safeguards across the IT enterprise to mitigate the risks associated with maintaining ePHI. Ultimately, the goal is to preserve the shield through continuous formal risk management efforts, supported by the appropriate level of governance, documentation and ongoing remediation of security weaknesses.
Name a dedicated information security executive. With many CIOs already wearing multiple hats and reaching their workload limit, the burden of maintaining sole responsibility for a comprehensive enterprise security program often can be too much. Relying on an ace network guy to take on the task while giving him little to no authority to drive substantive change will not work either. Hence, there is a trend toward naming a chief information security officer, or CISO, to lead this key operational function. We are seeing this empowerment of a dedicated security executive in health care and across other industries. In fact, retail giant Target recently named its first CISO in the wake of its data breach last year.
Conduct regular risk analyses and follow through on findings. Increased enforcement efforts by the Office of Civil Rights under HIPAA, as well as new sanction guidelines under HITECH and significant meaningful use dollars at risk, have coalesced to spur many organizations to conduct the required risk-analysis activities. But as mentioned earlier, avoid bringing a check-the-box mentality to the table, and instead, truly invest in these activities. Re-evaluate and re-architect when the findings call for it. Use the regulations not only to compel consistency of action, but also to earn the trust of patients and staff by demonstrating a committed and focused stance on ensuring patient privacy and information security.
Get prescriptive with security controls. A key difference between approaches to privacy and to security is that the guidelines for disclosing a potential breach of sensitive information are much more prescriptive. In fact, the industry has become quite good at handling such matters. However, in security, there is constant inherent risk in the acquisition and transfer of data and a vast array of options for safeguarding it. Aside from encryption, few security controls are prescribed. Often, we find that an organization is taking a particular security measure simply because that ace network guy happens to know he should, or because the CIO read an article about a fellow provider's incident and saw his own organization's shortcomings in the media report.
As most who have been forced to overhaul their information security and compliance practices can attest, taking a much more prescriptive approach to applying security controls at both the industry and provider levels can go a long way toward reducing the loss or theft of ePHI.
Don't overlook medical device security. Advances in electronic documentation, automation of clinical workflow and increased network integration have prompted providers to assimilate biomedical devices into their organizations' complex health care IT infrastructure. In fact, newer medical device technology often takes advantage of the same operating systems and protocols favored by mainstream IT developers. As such, these devices and platforms are susceptible to viruses and other threats that must be protected with diligence, given a device's critical function in the delivery of patient care, whether diagnostic or life-sustaining.
For example, medical devices using wireless networks can be especially vulnerable to attackers who monitor the network to obtain passwords. Perhaps most worrisome is the denial-of-service attack in which a device is taken offline or prevented from functioning as required. As a baseline safeguard, establish an inventory of devices connected to the hospital's network and catalog those who have access to those devices. Furthermore, when performing a risk analysis, be sure to identify the effects of a security breach on each networked medical device.
Not If, but When
Few hospitals will be the place where a starstruck staff member sneaks a peak at the next Kardashian baby's birth record. But for the majority of providers, it is entirely possible that an unencrypted device takes a walk, an email containing ePHI accidently travels to the wrong recipient at the hands of a harried nurse, or a malicious attack strikes a vulnerable network. These are real threats that will not disappear even for the Fort Knox of all health systems.
As the exchange of ePHI among providers increases through participation in accountable care organizations and health information exchanges, and more and more care is being delivered outside the acute care environment, make data security a central component to how you manage your overall operations.
While it may feel like an uphill battle, you can easily find that the cost of not investing in improving your information security posture can far outweigh the costs of doing so.
John Glaser, Ph.D., is the CEO of the Health Services business unit of Siemens Healthcare in Malvern, Pa. He is also a regular contributor to H&HN Daily. Andrew Frazier, lead for information security risk management consulting, and Shawn Burgess, information security risk management consultant, Siemens Healthcare, contributed to this article.