Stage 2 Meaningful Use: The Next Step in Security Risk Analysis

Posted on May 2, 2012 by Dan Berger in Main | Leave a comment

At first read, the security risk analysis (SRA) provisions of the proposed Stage 2 “meaningful use” regulations appear to have changed only slightly from those in Stage 1. The language in the draft rule is nearly identical to Stage 1, with one notable addition highlighted below:

“Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.

Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; “Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.

As part of Stage 2 Meaningful Use, encryption of “data at rest” must be considered as an addressable control. As such, providers need a process by which they evaluate whether the control is “reasonable and appropriate” and would likely contribute to protecting its health information.   If the control is deemed “reasonable and appropriate,” then it must be implemented.

However, if the provider decides “encryption of data at rest” is not reasonable and appropriate, then it must 1) document why it is not reasonable and appropriate, and 2) Implement an equivalent alternative measure if reasonable and appropriate. Despite a little remaining wiggle room, it has become increasingly difficult to justify not encrypting ePHI under the “reasonable and appropriate” caveat.

Turning to the new rules for EHR software certification, Stage 2 also requires the main software application ‘to be able to demonstrate the capacity to encrypt [data on] mobile devices in circumstances where the EHR technology manages the data flow on the mobile device,”

In our view, these provisions stop just short of a mandate. Determining reasonableness is not just about the cost of hardware and software or the complexity of implementation. It is more about whether or not the organization can execute the requirement consistently and effectively.

Given that the majority of significant breaches to date have been the result of lost or stolen devices containing unencrypted data, and the increasing mobility of data itself, it will be difficult to find “equivalent alternative measures.” That said, Redspin can provide a framework for considering the issue within our overall SRA roadmap and expert guidance on how to reasonably and effectively protect patient information.

 

A Blue Note: Looking Deeper at the 2009 PHI Breach at BlueCross BlueShield Tennessee

Posted on March 17, 2012 by Dan Berger in Main | 1 Comment

The cost of a significant data breach of protected health information (PHI) has been a popular topic in the news recently. The new ANSI publication“The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” debuted with much fanfare in D.C. earlier this month. White House Cybersecurity Czar Howard Schultz kicked off a March 5th press conference where the release of the report was announced. His participation helped elevate the issue to a national audience.

The following day, many of the companies who helped ANSI produce the study revved up their own PR engines. Their  warning: While the widespread adoption of electronic health records will ultimately translate into greater efficiencies and better patient care, it also creates the possibility for massive data breaches. The risks to healthcare organizations go far beyond penalties imposed by HHS who must also consider the costs of restitution, legal fees, media relations, brand damage, and exposure to class-action lawsuits.

It was against this backdrop on March 13th that the Department of Health and Human Services (HHS) announced a data breach resolution agreement with BlueCross BlueShield Tennessee (BCBST), including a settlement payment of $1.5 million for potential violations of the HIPAA Privacy and Security rule. The breach was reported to HHS in 2009 when 57 unencrypted hard drives were stolen from a “data storage closet” in a customer call center facility that BCBST leased in Chattanooga, Tennessee. Over 1 million health records were affected. The personal data compromised included names, SS#, DOB, diagnosis codes and health plan ID numbers in the form of 1,000,000 audio and 300,000 video recordings of customer service calls.

At first glance, the $1.5 million dollar fine looked very light for a breach affecting 1 million patients. Dr. Deborah Peel, founder of the Patient Privacy Rights Foundation, commented on ModernHealthcare.com that the amount of the fine was “practically nothing,” particularly for such a large insurer. Additional reports confirmed that since the incident, BCBST has spent over $17 million dollars in investigation, notification and protection efforts. This was no doubt a factor that HHS considered when settling the case. In fact, the ongoing HHS/OCR investigation and persistent “overhang” of pending enforcement action was likely, in and of itself, the justification of making these improvements. Under classic behavior modification theory, the threat of punishment can often be more effective that the punishment itself (If you have kids, you know what I mean).

Yet, the total of $18.5 million for 1 million record breach, or approximately $18.50 per record, pales in comparison to the estimates used in “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security.” Industry analysts consistently put the costs of PHI or PII data breach in the hundreds of dollars per record. A common restitution offer of late has been credit monitoring services for each individual for 2-3 years to protect against medical ID theft, generally at a cost around $29 per individual per year. Recent class action lawsuits filed following breaches of PHI data breach have asked for damages of $1,000 per patient.

So did BCBST get off easy? Well, they certainly did a good job of damage control. But in today’s environment, I doubt anyone could follow suit. BCBST very likely benefitted from HHS/OCR not being in position to immediately enforce the Breach Rule given that the HITECH Act itself has only just been enacted a few months prior to the breach. Now, some 2½ years later, they’ve had a chance to implement a stronger IT security program, including the encryption of its PHI data-at-rest, a step we at Redspin strongly advocate. Also, no cases of ID theft or fraud have come to light as a result of their breach.

While BCBST admitted to no liability as a result of the theft of the data and hard drives, they did agree to a 450-day corrective action plan (CAP) under which there policies, procedures, security controls and operations will be under enhanced scrutiny. As I told Information Week Healthcare:

“The monetary penalty may grab headlines but it’s the corrective action plan that provides the most insight. Effective IT security and compliance is only possible through an ongoing process. BCBST has now agreed to periodically review its policies and procedures, conduct regular HIPAA training for all employees, and monitor adherence to its own corrective action plan.”

These provisions will add to BCBST’s operational overhead for sure, but in reality, the CAP just reinforces prudent and responsible information security management, something all healthcare organizations need to have in place now. The risks (and potential costs) of data breach will accelerate geometrically as the adoption, implementation, and utilization of electronic health records continues to increase.

 

The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security

Posted on March 8, 2012 by Dan Berger in Main | 1 Comment

On Monday, March 5th, I was invited to a press conference in Washington, D.C. announcing the release of “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security,” published by the American National Standards Institute (ANSI). The honorable Howard A. Schmidt, White House Cybersecurity Czar, kicked off the event. Mr. Schmidt commented that “in the continuum of the cybersecurity issues we look at, (healthcare security) is obviously critical as this is one that affects everyone.”

It was great to see the White House advocating the importance of healthcare IT security, right on the heels of the President Obama’s February release of a   new framework for protecting consumer data privacy

“One thing should be clear, even though we live in a world in which we share personal information more freely than in the past, we must reject the conclusion that privacy is an outmoded value. It has been at the heart of our democracy from its inception, and we need it now more than ever.”

– President Barack Obama

Mr. Schmidt referenced the President’s clarion call and concluded: “Without security, you don’t have privacy.”

The report itself “The Financial Impact of Breached Protected Health Information – A Business Case for Enhanced PHI Security” is a 67-page, glossy publication. Much like an annual report, it is attractively-designed, professionally-printed, and includes: 13 tables as well as numerous charts and graphics. The project was a huge collaborative effort with 3 leads, 2 premium sponsors, and 10 partner sponsors. Credits were extended to 82 individuals and their respective organizations on the full Project Team. Boxes full of reports were available at the National Press Club and Rayburn House Office Building. Copies were distributed to the press, members of Congress, and their aides. The report is also downloadable from ANSI at: http://webstore.ansi.org/phi/

The bulk of the report is a compilation of previously-published research, surveys, statistics, and news articles (as evidenced by the 122 footnotes). While it breaks no new ground, it is a useful marketing communications piece that will raise overall awareness of the IT security risks and challenges facing the healthcare industry.

At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach. I am not a fan of this approach (see my upcoming presentation “In Praise of Qualitative Risk Analysis” at NCHICA’s 8th Annual Academic Medical Center Conference, April 23-25 in Chapel Hill, N.C.) However, the first of PHIve’s steps is:  “Conduct a Risk Assessment – Assess the Risks, Vulnerabilities, and Applicable Safeguards.”

Sound familiar? It should. After all, it is a requirement of the HIPAA Security Rule.  More recently, nearly identical language regarding security risk analysis has been included in the core requirements of Stage 1 and Stage 2 “meaningful use” for covered entities, eligible hospitals and eligible providers. Yet, at the Congressional lunch launch of The Financial Impact of Breached Healthcare Data, Joy Pritts, HHS’ Privacy and Security Officer, lamented “it is quite telling that a recent HIMSS survey found that 25% of respondents had not even conducted a security risk assessment.  It’s been part of the HIPAA Security Rule for what, the past 5 or 6 years?”

Redspin has conducted HIPAA Security Risk Analysis projects for dozens of hospitals over the past year enabling them to attest to Stage 1 meaningful use as well as maintain their compliance with the HIPAA Security Rule. While the PHIve quantitative risk methodology gets extremely elaborate, note that even that begins with a security risk assessment. It is a logical starting point. And in our view, Redspin’s security assessments enable you to significantly reduce your risk before making a single calculation. That’s invaluable, particularly with the increased attention on healthcare IT security at the highest levels of the Federal government.

 

Stage 2 Meaningful Use – Addressing Encryption/Security

Posted on February 25, 2012 by Dan Berger in Main | Leave a comment

Last week, Health and Human Services Secretary Kathleen Sebelius reported that the number of  hospitals using electronic health records (EHR) has more than doubled in the last two years from 16 to 35 percent.  She also said that 85 percent of all hospitals now report that by 2015 they intend to participate in The Centers for Medicare and Medicaid Services’ (CMS) EHR incentive program.

Also last week, CMS released the proposed Stage 2 Meaningful Use requirements for public comment.  The draft rule gives eligible hospitals and providers a good indication of where to focus their efforts as they continue their implementation and adoption of electronic health records throughout their organizations.  Stage 1 was mostly about transferring data to EHRs and being able to share information, including electronic copies and visit summaries for patients. Stage 2 moves the goalposts  further down field, requiring that patients have online access to their health information and facilitation of electronic health information exchange between providers.

The Stage 2 core requirement for IT security uses nearly identical language from Stage 1 regarding updating or conducting a  HIPAA security risk analysis.  Both Stage 1 and Stage 2 rely on the  HIPAA security rule provisions under federal code 45 CFR. HIPAA deems encryption an “addressable” specification, meaning a covered entity decides if it is a “reasonable and appropriate” technical security step to implement. The security rule enables an entity to adopt an alternative protective measure that achieves the same purpose.

But the difference between Stage 1 and Stage 2 on this issue is subtle but significant. Stage 1 only mentioned the security risk analysis provision. However, by specifically calling out out the issue of encryption at rest in Stage 2 , CMS has heightened the importance of analyzing the pros and cons of using the technology.  The complete language of the core objective for both hospitals and eligible providers requires that they:

“Conduct or review a security risk analysis in according with the requirements under 45 CFR 164.308(a)(1), including addressing the encryption/security of data at rest in accordance with requirements under 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3), and implement security updates as necessary and correct identified security deficiencies as part of the provider’s risk management process.”

As Redspin reported in our February 1st  Breach Report 2011 – Protected Health Information:

“Of the 385 incidents affecting 500 or more individuals, 55% involved unencrypted devices or media. The Federal government is unlikely to mandate that all portable devices that store ePHI be encrypted, but it’s an obvious and sensible policy for a healthcare organization to adopt. Taking it further, why not require that all mobile devices in the healthcare workplace be encrypted, even if ePHI is not allowed on them.”

As we predicted, the government stopped short of a mandate. There is no movement afoot to change or add to the  HIPAA security rule requirements.  But in Stage 2 they emphasized that an EP or hospital should consider encrypting electronic protected health information as part of their security risk analysis, and where it is not “reasonable and appropriate,”  adopt an equivalent alternative measure of securing data.

Sometimes, you have to read between the lines… or in this case, read between the forward slash. We’ll be talking about the phrase “addressing the encryption/security of data at rest” for the next few years.

 

« Previous   1 2 3 4 5 6 ... 53 54   Next »