Certain types of computer dysfunction are analogous to disease, at least in a descriptive sense. For example, we say that a PC can get “infected” by a computer “virus.” The recent rash of hacker attacks makes me wonder if we’re on the verge of a data breach “epidemic?”
True epidemics occur when new human cases of a certain disease substantially exceed what is expected over a period of time. Epidemic diseases need not be communicable; they occur when there are an accelerating number of exploits of similar weaknesses in the human immune system. (Note the clever use of the analogy in reverse). It’s not much of a stretch then to apply the concept of an epidemic affecting the human body to one that cripples IT infrastructures.
Perhaps recent events even warrant the use of pandemic. There have been over 11 million personal health records compromised in major data breaches in the U.S. since September 2008. Last week, 8.6 million health records were reported at risk due to an unencrypted missing laptop in London. Add recent hacker intrusions at Epsilon, Sony, the IMF, Citibank, Sega etc. and reported incidents are clearly accelerating at a staggering rate.
This must be disturbing news for a healthcare industry moving forward aggressively on the implementation and adoption of electronic health records. But consider this instead a call-to-action. Providers and business associates should seize this moment to take preventative measures. Hospitals and providers can leverage the mandatory security requirements of the “meaningful use” EHR incentive program to build organization-wide consensus and gain budget approval to invest now in their IT security future.
To qualify for incentive payments under meaningful use, covered entities and eligible providers must “conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.” What an opportune time to revisit and revamp the outmoded, insufficient, neglected and/or minimal security risk programs that were likely put in place years ago.
For forward-thinking business associates, this is an opportunity too. Direct liability for ePHI data breach won’t transfer to business associates until sometime in 2012, but there’s no time like the present. In IT security, preventative action trumps reaction and damage control. Just ask Sony. And, as a “culture of security” grows among healthcare providers, business associates will find that data security becomes not only a requirement of doing business with health providers but also competitive differentiators.
So how do we all work together to prevent a data breach epidemic? In the 1995 movie “Outbreak” one proposed solution was to drop a fuel-bomb on a city where the virus had been contained. But data breaches are rarely containable and even if they were, I doubt there would be many fuel-bombs dropped anywhere but in the computer war game Call of Duty.
Our “call of duty” to prevent data breach outbreaks or epidemics is to first understand that security is an end-to-end process. In this new environment where networks, and networks of networks, will be able to provide an access path to the most sensitive personal information, there is no such thing as containment. To quote John Halamka, MD, MS, and CIO at Beth Israel Deaconess Medical Center) “the healthcare system is as vulnerable as its weakest link. Thus each application, workstation, network and server within the enterprise must be secured to a reasonable extent.” That is your mission. And Redspin’s job is to help you achieve it.