The medical information of 150 million Americans has been exposed through 1,500 breach incidents since late 2009. More recently we’ve seen a handful of hospitals succumb to ransomware that locks down key parts of their systems and grinds operations to a halt. With healthcare becoming more of a “team sport” through new payment models and the advent of the Internet of Things (IoT), it’s time for healthcare organizations across the country to change their story when it comes to security and compliance.
Whenever its time to make big changes, the first thing to do is understand the current states of things. A recent study from The Bookings Institute titled Hackers, phishers, and disappearing thumb drives: Lessons learned from major health care data breaches aims to helps us do just that. Led by Niam Yaraghi, the study set out to evaluate all of the breaches listed on the OCR’s “Wall of Shame”. As Yaraghi points out, the OCR doesn’t release any of its detailed findings to the public. This represents a missed opportunity to allow other healthcare organizations to learn from the experiences of those effected. Therefore, the study’s objective was to fill this void by interviewing the affected organizations to extract and share these lessons. Given the cautious nature of the healthcare industry, it’s no surprise that many groups were reluctant to share. Still, 22 of the 283 organizations contacted for the study participated in interviews. Their stories provide great insight into the risks faced by the industry and instruction on how similar organizations can improve their own security and compliance programs.
NOTE: This post is not a summary of Yaraghi’s work (which is excellent and you should read it), but it guided my thinking and it is referenced throughout.
What’s At Stake?
The first thing healthcare organizations need to understand is their level of risk. If you don’t understand the potential problems and consequences then you won’t be able to evaluate need or properly align resources to address it. Organizations affected by security incidents pay the price in a number of ways:
The media loves a good breach story. It’s evident in the headlines and social media commentary when a breach is reported. If you suffer a “reportable” breach, you can rest assured that everyone will know about it. In the old days healthcare consumers had little choice. Organizations would apologize and pay the fines, but after a brief time the headlines faded and their revenue was unchanged. As consumers continue to gain more choices in healthcare through insurance exchanges and a more consumer-driven delivery system, the effects of these breaches on organizations will be longer-lasting and will hit the revenue stream.
The study’s respondents described a punitive and slow audit process lasting almost 2-years. During that time OCR auditors were largely unavailable and came back randomly for more information. Every time this happened they had to redirect resources from other initiatives to deal with the auditors requests. In a transforming market with emerging alternative payment models and a constant stream of regulatory requirements and initiatives to support them, organizations cannot afford to deal with this type of disruption. In the case of ransomware, the disruption is even more acute and it can force hospitals to turn patients away.
The costs of notifications, fines, mitigation efforts, etc. really add up. The per-record cost of healthcare data breaches is $363, the highest of all industries.
These three examples alone make a pretty good case that there’s a lot of value in having a sound security and compliance program in place.
How Do The Breaches Happen?
Hacking, loss, theft and improper disposal of records make up a lion’s-share of the records lost. Each of these issues can be addressed and largely mitigated by a sound security and compliance program. The study says:
In many of the interviewed organizations, privacy breaches could have been prevented had the organization spent enough on security technologies or diligently implemented and followed privacy policies. Health care organizations now have access to both the knowledge and technology that is required to ensure the privacy of their patients.
I thoroughly believe this is true. In my experience, healthcare organizations are far more worried about their (often very weak) HIPAA compliance strategy than they are in actual data security. Many people blame HIPAA for this, claiming that it’s too broad, outdated and non-prescriptive. They say there should be very-specific guidance about what kind of security is required to be “HIPAA-compliant”. First of all, these same people will line up to complain that the over-prescriptive nature of Meaningful Use (MU) has stifled them and that the proposed MACRA rule is too intrusive. Do you really want the government rolling out a prescriptive rule for how to defend against malware? I’ll answer for you. HELL NO! That would be a complete disaster. You would hate it and you would complain loudly. HIPAA is purposefully vague to account for the wide variety and varying size of all the healthcare organizations in existence. The security rule (the portion we’re usually focused on when we talk about Health IT security) amounts to little more than good IT governance. These are things that you should be doing already. Our perspective of the problem at hand is a major reason for its continued existence. We tell ourselves a story about HIPAA and what we need from the government, but it’s largely a lie and it hurts us every day.
What Should Healthcare Organizations Do About It?
According to Yaraghi, “a security breach, like other types of risk, has two components: probability of happening, and consequences.” This simple breakdown provides the basis for a thoughtful approach that all healthcare organizations can start on right now with the resources they already have.
Create Policies that reduce human error
Since most of the breaches studied were caused by people and not technology issues, you can take a big step forward by creating policies that reduce human error. This starts at the top and the organization’s leadership must clearly demonstrate that it’s a priority. With that clarity in place you’ll be primed to roll out an effective training program that includes your typical sessions, but is then supplemented with regular reminders, signs around the office, fake phishing email tests, etc. The goal here is to create a culture of security and compliance.
It’s also advisable to have a clear understanding of the normal paths data must take through your organization and to make sure that staff only have access to data that it’s needed to perform their duties.
Implement appropriate security technologies
Your needs cannot be dictated to you, but should be driven by the results of your own risk assessment. A properly running HIPAA-compliance program will allow you to find the appropriate mix of technology to use. The study suggests a few specifics like encrypting your data and limiting access to local and trusted IP addresses. Both are worth considering and I’ve argued in the past that while not technically required, encryption is effectively required by HIPAA.
Have a backup plan
The study points out that many organizations don’t have a sound backup plan. If properly implemented, your HIPAA-compliance program already evaluates data backup, recovery and disaster recovery plans. You should evaluate your risks, document the response and test it regularly. This will give you options and control in the event of a breach or ransomware attack.
Be audit ready
Your HIPAA compliance program should assume that you’ll be breached (you will) and audited at some point. In the midst of a security incident, the last thing you want to do is scramble. Practice your own internal audits and consider having an annual 3rd party audit to ensure your compliance and security programs are up to snuff.
Consider Cyber Insurance
Yaraghi’s report ends with a strong endorsement for cyber insurance. Not only will it reduce your potential risk in the face of a breach, but it will also act as another guide in your quest for compliance and security. The insurance carrier will require that you put best-practices in place and may even conduct periodic audits that’ll keep you on your toes. Finally, in the event of a breach it will be in their best interests to help you avoid expenses and fines. That puts a capable ally in your corner when the auditor comes knocking.
Changing Our Story
The healthcare industry is telling itself the wrong story about HIPAA-compliance and security. Here’s a new one: HIPAA-compliance is a process and not a check-list. The process of HIPAA-compliance will help inform your security process, but it’s not security. We don’t want or need a prescriptive rule on how to do any of this from the government. We have all the knowledge and tools we need to be successful. Let’s get out of our own way and get it done.
#hcbiz 14 Details
On Wednesday, May 18, 2016 the Business of Healthcare community held a tweet chat to discuss these issues:
Q1: Do healthcare organizations under-value security and compliance? If so, why and how do we change that?
Q2: What are the biggest lies we tell ourselves about HIPAA that hurt security and the business of healthcare in general?
Q3: What is the #1 thing healthcare organizations can do today to improve their security and compliance programs?
This story was originally published on #hcbiz Blog on May 17, 2016
Every Wednesday “The #hcbiz Show!” takes on a new topic that’s relevant to the business of healthcare. We dissect the issue to find out what it is, why it is and what we should do about it. All with a mind towards how it fits into your healthcare business.