From Healthcare Musings – May 2011
by Michael (Mac) H. McMillan
May 2011 – Six years after the HIPAA Security Rule has gone into effect, 31,000 plus breaches of patient information have been reported. What’s especially disturbing is that the overwhelming majority of these incidents were either self-inflicted by the organization or totally avoidable.
This month the National Institute of Standards and Technology (NIST) and the Office of Civil Rights (OCR) held their third annual conference on Privacy and Security in Washington, D.C. Primary on everyone’s mind was the latest status on HITECH rule making and more insight into OCR’s recent and future enforcement activities. 2010 saw over 240 major breaches, incidents involving more than 500 individual records, and approximately 31,000 smaller breaches reported to OCR. Thousands of others went unreported because they either did not meet the threshold for harm, or were not discovered. This could have been a result of a determination that the incident did not present significant risk to those whose records were exposed. Alternatively, it could have been due to a hospital’s inability to detect breaches.
In any other regulated industry these numbers would probably set off alarms. It is no surprise that in 2011 we have begun seeing fines being levied against organizations that had incidents in 2010. Part of this is due to the delay associated with conducting the investigation and the rigorous processes around assigning a fine. OCR is diligently investigating all complaints and major breaches reported. Since they have assumed this responsibility from CMS in mid-2009, a complaint is 400% more likely to result in corrective action required. Other organizations that have had incidents, while not fined, have received informal Resolution Agreements with detailed remediation plans and regular government oversight. And Health and Human Services (HHS) has followed through on its responsibility to empower states’ Attorneys General to carry out their HIPAA enforcement duties by providing training to their staffs. These actions increase the likelihood of investigation and the potential for adverse or reputational consequence.
Equally disturbing are the types of incidents most likely to lead to a breach as evidenced from 2010 lessons learned from OCR. More than 67% of breaches involved some form of physical loss or theft of a computer system or device. The remaining 33% of causes identified included unauthorized access, hacking and improper disposal of information. This should serve as a wake up call for healthcare executives and Board members. No one is immune to computer incidents or inappropriate behavior. However the best organizations understand this and focus on prevention and detection rather than reaction. Herein lies the problem and the challenge in healthcare.
Healthcare today, on average, based on just about any survey or study available, spends significantly less on data security than other comparable regulated industry. In fact healthcare still relies on manual and reactive processes for activity monitoring in enterprises that comprise hundreds of applications, thousands of systems and thousands of users. This situation is even more significant when one considers the amount of personal information healthcare entities process, the number of organizations and people who have access to that information, the vastness and complexity of their networked environments and today’s requirements for exchange of information with others.
The answer is a paradigm shift for the industry, and it will have to start with healthcare executives. Data security like any other business area receives attention consistent with the priority it is given by executive leadership. Data security is a major area of responsibility, and that will only increase, yet few hospitals have information security governance structures that regularly oversee budget, resources, performance and accountability. Executives should be asking are we managing data responsibly, are we reducing our data security risks where possible, are we doing enough to prevent and detect these risks? Are we creating an environment where patients, physicians, family, staff and others involved in care can interact and share information with confidence? Interestingly enough, the cost of doing this correctly is often far less than the cost of remediation following an incident. The answer is healthcare executives and Boards need to make data security a business imperative. Conveying to all workforce members, regardless of status, that respecting patient privacy and protecting information is part of how we do what we do, and back that up with appropriate oversight, resources and attention.
Information security is no different than any other discipline or program. When Executive leadership establishes the priority and sets the tone that this is a serious and important part of who we are and how we are perceived, it will become more central to any discussion involving systems and data. When that happens, the emphasis with shift to prevention and detection and there will be less need for reaction. Then we will see the number of breaches decline.