The rules of the privacy game have changed and the stakes are higher than ever before when protecting patient information in transit.
With advancements in both consumer and healthcare technology, protection of patient information is critically important and equally challenging to achieve. Providers want to get information from point A to point B in the easiest way possible, even if it means using insecure email channels and violating the Health Insurance Portability and Accountability Act (HIPAA).
"If it's going to be secure, it's going to be harder to deal with," said Aaron Titus, chief privacy officer and counsel at Identity Finder, a sensitive data management firm. "Doctors and end-users will always find a way to do their jobs following the path of least resistance."
Most HIPAA violations occur accidentally, usually due to a lack of understanding of the law, which was enacted in 1996 and updated under the 2009 Health Information Technology for Economic and Clinical Health Act (HITECH).
[Where breaches come from: Think Hackers Are IT's Biggest Threat? Guess Again.]
HIPAA includes a Privacy Rule, which protects the privacy of identifiable health information; a Security Rule, which sets national standards for the security of electronic protected health information (PHI); and a Breach Notification Rule, which requires covered entities and business associates to provide notification after a breach of unsecured PHI. PHI includes any individually identifiable health information.
The devil is in the details when it comes to HIPAA, and those details have only become more complicated with time. In January 2013, HIPAA was updated to include the Final Omnibus Rule, which updated the Security Rule and Breach Notification Rule to include business associates in addition to covered entities. Previously, only covered entities such as hospitals or practices were subject to HIPAA. Now third-party vendors are included. The changes went into effect on September 23.
Most breaches occur due to human error, not technology slip ups. Laptops are left on trains, sensitive emails are sent unencrypted, and devices are left unlocked. Privacy and security technology is readily available and largely successful -- if used properly. The problem is that security safeguards can be cumbersome. Doctors want easy access. They don't want to enter three passwords to view patient records or remember to use encryption software before clicking send.
So they get around it by using insecure services such as Gmail and Dropbox, and in turn put themselves and their institution at risk.
"Security always has a human factor," said Lee Kim, the director of privacy and security at the Healthcare Information and Management Systems Society (HIMSS)."The problem is in people not following protocol. They're circumventing the technology."
HIPAA non-compliance comes at a high cost. There are financial and legal ramifications. The bottom line: It's bad for business. While there's no legal mechanism under HIPAA for an individual to sue a healthcare provider for a breach, individuals can file a complaint with Health and Human Services' Office for Civil Rights, which is responsible for enforcing HIPAA Privacy and Security Rules. From there, a full-on investigation can be launched.
If a breach does occur, the best course of action is to get in front of the issue. Assess the scale of the incident, inform upper management and call in attorneys, said Stephen Cobb, senior security researcher at ESET, a cyber-security firm that works on HIPAA compliance.
"Avoid underestimating the size or seriousness of the breach," Cobb said. "It's better two weeks after the initial announcement to say, 'It's not as bad as we thought,' rather than upping the number."
In February 2010, Jim Donaldson found himself in a sticky situation. Baptist Health Care Corporation, where Donaldson is the director of corporate compliance, had just bought a large cardiologist group that included about 40 physicians. One of the group's diagnostic laptops containing 7,600 patient names, dates of birth, and medical records was stolen three days before Baptist Health Care signed the deal with the cardiologist group.
"We essentially bought the problem," Donaldson said. "There were more than 7,000 people we had to notify, along with local media outlets. Within a few days, we were contacted by the Office of Civil Rights and a full-fledged investigation was launched."
That investigation is still underway. A saving grace was the organization's meticulous documentation. The computer was behind a locked door and under security camera surveillance. The thief knew the combination, suggesting an inside job. Because the company was able to prove this with documentation, they avoided some of the steeper penalties.
Hackers looking to break into a health system aren't necessarily looking for patients' health information. Most are more interested in social security numbers and billing information, Cobb said.
The US is a leader in both the size and cost of breaches, according to the Ponemon Institute's 2013 Cost of Data Breach Study, which examined costs incurred by 277 companies in 16 industry sectors after those companies experienced the loss or theft of protected personal data.
Among the US companies examined, an average of 28,765 records were exposed or compromised in 2012, costing an average of $5.4 million. The healthcare industry had the highest per capita data breach cost compared to all other industries.
The solution lies in creating a culture of privacy, and at the core of that culture is education.
"The thing that hasn't been done over the last 10 years is to keep the general public, most employees at most companies, up to speed on what the threats are," Cobb said. "What does the criminal underground look like? What do phishing attacks look like? Educate and emphasize the consequences."
Though the online exchange of medical records is central to the government's Meaningful Use program, the effort to make such transactions routine has just begun. Also in the Barriers to Health Information Exchange issue of InformationWeek Healthcare: why cloud startups favor Direct Protocol as a simpler alternative to centralized HIEs. (Free registration required.)