Over the past year, Redspin (along with many others), has reported that breaches of protected health information (PHI) are at epidemic levels. We’ve all based this assertion on quantitative statistics. The Breach Notification Rule requires that healthcare providers report “large” PHI breaches (defined as those affecting >500 records) to HHS which then publishes those details on its website, the so-called “Wall of Shame.” Numerous presentations, news articles, blog posts, and tweets have reported on the most egregious offenses and the alarming aggregate – 525 breaches involving $21.4 million patient records over the past 3 years.
However, “smaller” breaches (<500 records) must also be reported to HHS on an annual basis. Over this same 3 year period, approximately 60,500 of these smaller breaches have been disclosed. Although they are not posted publicly, they are not immune from the federal government’s HIPAA enforcement arm. Earlier this month, the HHS Office for Civil Rights (OCR) reached a $50,000 settlement agreement with Hospice of North Idaho pertaining to the loss of a laptop computer that contained the records of 441 patients in 2010.
The punitive action was intended to send a strong message. Whether the breach itself is big or small, the potential for personal harm as a result of a PHI data breach of a single record is staggering. To date, discussions regarding the fall-out from these incidents has centered on the financial implications such as identity theft, medical insurance fraud, etc. But the risk is much greater than that. Electronic medical records not only store personally-identifiable information but also personally sensitive information such diagnoses, treatment plans, prescription info, complete medical histories. Individuals have every right to expect that this information remains private and confidential, indeed that right is protected by law. Further, when doctors, nurses, emergency rooms need to rely on the integrity and availability of EMR’s to determine ongoing treatment – the risks caused by data breach can literally create life or death situations.
Yet as more and more medical records are converted and stored electronically – and become accessible over more and more networks – they are present lucrative targets for hackers. It is simply not enough for healthcare providers to maintain compliance with government privacy and security regulations. Nor is it acceptable to do just a HIPAA security risk analysis every other year. Covered entities need to invest the time, effort and resources to make IT security an organizational imperative with a dedicated and sustained IT security program.
Redspin’s specific recommendations now include “continuous vulnerability scanning and remediation.” Real vulnerability management is a continuous process of testing, remediation, and re-testing. This allows organizations to regularly monitor which previous vulnerabilities have been fixed, which ones have not, and what new issues may have been introduced. Redspin now offers a cloud-based, SaaS service which reports these results automatically at periodic intervals via a web-based portal.
Lastly, there are organizational issues that often present as much or more risk than technical vulnerabilities. First, it is essential that a security “chain of command” exist in each healthcare provider with on a single senior level executive owning the overall responsibility for IT security. We also believe that regular reports on IT security should be given at the Board level. Another often overlooked area is IT security awareness training for all employees. Given that a large percentage of PHI data breaches to date can be traced to human error, it is the organization’s responsibility not simply to enforce policies but to proactively train their workforce.