Healthcare // Security & Privacy
News
11/18/2013
09:05 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Sloppy Handling Of Patient Data Always A Danger

HIPAA compliance can be a headache, especially when patient data falls through the cracks.

The rules of the privacy game have changed and the stakes are higher than ever before when protecting patient information in transit.

With advancements in both consumer and healthcare technology, protection of patient information is critically important and equally challenging to achieve. Providers want to get information from point A to point B in the easiest way possible, even if it means using insecure email channels and violating the Health Insurance Portability and Accountability Act (HIPAA).

"If it's going to be secure, it's going to be harder to deal with," said Aaron Titus, chief privacy officer and counsel at Identity Finder, a sensitive data management firm. "Doctors and end-users will always find a way to do their jobs following the path of least resistance."

Most HIPAA violations occur accidentally, usually due to a lack of understanding of the law, which was enacted in 1996 and updated under the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH).

[Where breaches come from: Think Hackers Are IT's Biggest Threat? Guess Again.]

HIPAA includes a Privacy Rule, which protects the privacy of identifiable health information; a Security Rule, which sets national standards for the security of electronic protected health information (PHI); and a Breach Notification Rule, which requires covered entities and business associates to provide notification after a breach of unsecured PHI. PHI includes any individually identifiable health information.

The devil is in the details when it comes to HIPAA, and those details have only become more complicated with time. In January 2013, HIPAA was updated to include the Final Omnibus Rule, which updated the Security Rule and Breach Notification Rule to include business associates in addition to covered entities. Previously, only covered entities such as hospitals or practices were subject to HIPAA. Now third-party vendors are included. The changes went into effect on September 23.

Most breaches occur due to human error, not technology slip ups. Laptops are left on trains, sensitive emails are sent unencrypted, and devices are left unlocked. Privacy and security technology is readily available and largely successful -- if used properly. The problem is that security safeguards can be cumbersome. Doctors want easy access. They don't want to enter three passwords to view patient records or remember to use encryption software before clicking send.

So they get around it by using insecure services such as Gmail and Dropbox, and in turn put themselves and their institution at risk.

"Security always has a human factor," said Lee Kim, the director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS)."The problem is in people not following protocol. They're circumventing the technology."

HIPAA non-compliance comes at a high cost. There are financial and legal ramifications. The bottom line: It's bad for business. While there's no legal mechanism under HIPAA for an individual to sue a healthcare provider for a breach, individuals can file a complaint with Health and Human Services' Office for Civil Rights, which is responsible for enforcing HIPAA Privacy and Security Rules. From there, a full-on investigation can be launched.

If a breach does occur, the best course of action is to get in front of the issue. Assess the scale of the incident, inform upper management and call in attorneys, said Stephen Cobb, senior security researcher at ESET, a cyber-security firm that works on HIPAA compliance.

"Avoid underestimating the size or seriousness of the breach," Cobb said. "It's better two weeks after the initial announcement to say, 'It's not as bad as we thought,' rather than upping the number."

In February 2010, Jim Donaldson found himself in a sticky situation. Baptist Health Care Corporation, where Donaldson is the director of corporate compliance, had just bought a large cardiologist group that included about 40 physicians. One of the group's diagnostic laptops containing 7,600 patient names, dates of birth, and medical records was stolen three days before Baptist Health Care signed the deal with the cardiologist group.

"We essentially bought the problem," Donaldson said. "There were more than 7,000 people we had to notify, along with local media outlets. Within a few days, we were contacted by the Office of Civil Rights and a full-fledged investigation was launched."

That investigation is still underway. A saving grace was the organization's meticulous documentation. The computer was behind a locked door and under security camera surveillance. The thief knew the combination, suggesting an inside job. Because the company was able to prove this with documentation, they avoided some of the steeper penalties.

Hackers looking to break into a health system aren't necessarily looking for patients' health information. Most are more interested in social security numbers and billing information, Cobb said.

The US is a leader in both the size and cost of breaches, according to the Ponemon Institute's 2013 Cost of Data Breach Study, which examined costs incurred by 277 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data.

Among the US companies examined, an average of 28,765 records were exposed or compromised in 2012, costing an average of $5.4 million. The healthcare industry had the highest per capita data breach cost compared to all other industries.

The solution lies in creating a culture of privacy, and at the core of that culture is education.

"The thing that hasn't been done over the last 10 years is to keep the general public, most employees at most companies, up to speed on what the threats are," Cobb said. "What does the criminal underground look like? What do phishing attacks look like? Educate and emphasize the consequences."

Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
G. Scott
50%
50%
G. Scott,
User Rank: Apprentice
11/20/2013 | 3:00:18 PM
Sloppy Handling
The biggest source of data breaches due to sloppy handling is not lost laptops, human mishap or even a one-time event.  The biggest source of data breaches occurs during the IT recycling process.  I see healthcare organizations routinely hand over laptops, PCs and servers loaded with hard drives to electronic recyclers.    

My company is a NAID Certified for hard drive destruction, performs HDD shredding onsite while the client watches and carries professional liability insurance to cover Breach Notification...helping organizations comply with HIPAA.  Still, we lose business to electronic recyclers because the person responsible for discarding old IT equipment doesn't understand the "authorized access" or doesn't have the $5.00 budget to shred a hard drive.
MNJander
50%
50%
MNJander,
User Rank: Apprentice
11/18/2013 | 3:23:45 PM
Re: Too Small to Fail?
Thanks for pointing out how much human error is involved in major medical data breaches, Alex. One of the most senseless (IMO) and avoidable problems seems to come from lost laptops. It would be easier to avoid breaches if employees (or contractors, in many cases) don't see fit to haul valuable data off site. Some simple rules made by IT might help.
Alex Kane Rudansky
50%
50%
Alex Kane Rudansky,
User Rank: Author
11/18/2013 | 9:52:56 AM
Re: Too Small to Fail?
Thanks for your comment, Alison. You're right - government agencies are stretched very thin. I wonder if the rapid adoption of EHRs (and resulting increased chance of leaks/breaches) will cause the government to beef up their HIPAA enforcement efforts in years to come.
Alison Diana
50%
50%
Alison Diana,
User Rank: Moderator
11/18/2013 | 9:40:51 AM
Too Small to Fail?
Small doctor offices are not under the radar. Often, disgruntled patients or (ex) employees will report them to officials, according to articles I've read about smaller providers that have been fined for abusing HIPAA. Government agencies are always stretched thin; the public is not -- and no service provider ever has 100% satisfaction! As your article says, a lot of times breaches come down to human error, not technology. A clerk leaves papers on a desk; a receptionists discusses a patient in a waiting room, or a doctor loses her phone. 
Healthcare Data Breaches Cost More Than You Think
Healthcare Data Breaches Cost More Than You Think
Healthcare providers just don't get it. They refuse to see the need to fully secure their protected health information from unauthorized users -- and from authorized users who abuse their access privileges. As a result, they don't allocate enough budgetary resources for securing medical data.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July10, 2014
When selecting servers to support analytics, consider data center capacity, storage, and computational intensity.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join InformationWeek’s Lorna Garey and Mike Healey, president of Yeoman Technology Group, an engineering and research firm focused on maximizing technology investments, to discuss the right way to go digital.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.