As required by section 13402(e) (4) of the HITECH Act, the HHS Secretary must post a list of breaches of protected health information (PHI) impacting 500 or more individuals. In the past 2 years, over 11.8 million Americans have been affected in nearly 330 separate incidents. This information is contained in a publicly searchable and downloadable database. Thus many organizations (including Redspin) have published “PHI breach reports” which summarize the data and offer conclusions based on the results of the past 2 years.
Relying solely on historical data has limitations, particularly in such dynamic, fast-moving arenas as healthcare and IT. Any conclusions drawn may turn out to be less predictive or prescriptive than as originally put forth. The old adage “if we don’t learn from history, we are doomed to repeat it,” is diluted by the pace of technological change. Relatively new innovations such as smart phones, iPads, and social media continue to alter the nature of human-machine interaction, workflow and social reach. With new modalities for patient care, such as genetic-driven personalized medicine and mobile consumer health applications, one can easily conclude that how a patient’s health record was breached in 2010 will have little relevance in 2014.
As a case-in-point, Bloomberg Businessweek recently reported on a new healthcare industry privacy and security report released by PwC’s Health Research Institute. The article was entitled: “Theft of Digital Health Data More Often Inside Job, Report Finds” (Sep 22, 2011). Presumably, the editor relied on the following two statements from the report to support the title; “Theft accounted for 66 percent of publicly reported breaches” and “Thieves are most often ‘knowledgeable insiders.’”
Ah, the dangers of oversimplification. If I were a healthcare CIO or Chief Privacy Officer, I might conclude that my security risk would be markedly reduced with daily shakedowns of all staff and more extensive background checks of prospective new employees. Worse, based on history alone, I might dismiss external hackers as not much of a threat to electronic protected health information (ePHI).
Yet, just this same month, RSA re-released a re-formatted, modestly updated 2009 report entitled “Cybercrime and the Healthcare Industry.” This paper discusses the rise of underground cybercrime networks and explains why a stolen medical identity has 10 times the higher relative value than a “regular” identity theft. Looking into its encrypted crystal ball, RSA concludes: “Cybercrime in healthcare is just starting to evolve but could quickly become a devastating industry, economic and societal problem.”
Inside job or underground cybercriminals, most healthcare organizations are under prepared for data breaches. PwC’s report “Old Data Learns New Tricks: Managing Patient Privacy and Security on a New Data Sharing Playground,” (despite the wildly mixed metaphor) was supported by over 600 interviews with health care executives. The 40+ page document is an excellent treatise on the importance of healthcare IT security, only slightly self-serving, and accurately summarizes the health data breach problem as follows: “Breaches erode productivity and patient trust. They’re costly, unpredictable, and unfortunately quite common.” (p3.)
Those in the healthcare IT industry face an increasingly complex challenge. Patients, providers, payers, business associates, researchers and industry economics will demand a significant increase in data sharing. At the same time, the threat surface for data breach will increase exponentially, exacerbated by personal and mobile communications devices and overall multiplicity of end-points. History can guide us only mildly. To borrow from Aldous Huxley and Shakespeare, it’s a brave new world and a world without data islands. Redspin will meet you there.