7- DATA, DATA,& MORE DATA IN HEALTHCARE by PHARMAGEEK

With electronic storage of protected health information (“PHI”) becoming more common, healthcare providers are rightly concerned about ensuring their data and security systems are not breached, and developing an established course of action in the event that their systems are breached. 

The most important security precaution that a provider can have in place is a stable system for breach prevention. Otherwise, navigating the field to ensure there are no breaches can be difficult. 

Do not place your bets on good luck or assume that the system you currently have will prevent a breach. It’s impossible to plan for every possibility, and your practice will be better prepared if you view breaches as an inevitability.

So, prepare as if a breach will happen—but keep your focus on prevention, as that is the ideal. 

How to Prevent a Data Breach

Your patients are depending on you to provide them with a safe and secure system, and they are the ones who will be most affected when a breach occurs. Here are a few tips to ensure that your system is as secure as it can be, adapted from this resource:

1. Test, test, test. 

First, make sure your current system is effective. To do this, you must test the system. This means performing constant random testing—data breaches are random, so your testing should be as well—as well as conducting a yearly risk assessment. 

2. Restrict access to patient information. 

One of the key concepts of the Health Insurance Portability and Accountability Act (HIPAA) is that only those who need to use the data have access to it. Make sure that the systems you have in place only allow employees to access required information. Furthermore, ensure each employee has his or her own login information, as this makes audit trails easier to follow. 

3. Educate.

Make sure you provide constant, current education for both yourself and your employees about HIPAA compliance and the impacts of a health data breach. 

4. Deploy encryption technology and monitor devices and records.

Be sure to employ technology that protects the PHI stored on the devices. This should be done through the use of encryption technology for all your data and hardware—whether the data is stationary or in motion. This is a standard that you should always keep up to date. Make sure that your system strictly manages identity and access, so that only those who need to use the information, can. 

While HIPAA does not require data encryption, the Health Information Technology for Economic and Clinical Health (HITECH) Act states that if encrypted data is stolen, this does not constitute a breach. 

There should also be strict rules for employees who use their own devices to access information, as this can lead to breaches (i.e., if those devices end up lost or stolen). Educate employees on how to secure their belongings, and perhaps encourage them not to store their data locally. 

5. Review and modernize IT infrastructure.

If you work in a hospital or large practice, subnet your wireless records. This way, you can provide Wi-Fi to your patients while also ensuring that they are unable to access records. 

If you use a cloud system, it’s crucial that you read over the contracts carefully. Make sure you will still be HIPAA-compliant and that the systems will be secure. 

You may want to invest in quality IT staff to work on these networks. The individuals you have will determine whether your systems will work and will be there to defend you against breaches.  

6. Collaborate with compliant business associates.

It is likely that you currently have business associates—or that you will have one or more in the future. Business associates can assist in locking your information in a safe place, but this means that they have access to PHI. Make sure that your business associates are compliant with HIPAA and that they have the proper security procedures in place to prevent breaches.

7. Invest in a good legal team.

Remember, as helpful as these tips are, you must view a breach as inevitable. Even if you do everything right, bad things can still happen. Investing in a good legal team allows you to know that even if something goes wrong, you have a plan to move forward.

How to Respond to a Data Breach

Now, let’s assume you’ve set up an appropriate system to prevent a breach, but something has happened, and your patients’ PHI has been accessed. Let’s look to what steps you should take.

1. Conduct an initial assessment of the breach.

Once you have discovered a possible breach, you need to conduct an initial assessment of the situation. This can be done through creating a task force. This group will need to determine:

1. What went wrong? 
2. Was any PHI compromised? 
3. When did it happen?
4. Who is responsible?

2. Address the risks.

Now it’s time to fully dive in and determine what happened and how. That way, you can ensure it does not happen again. This can be done through conducting a root cause analysis—and documenting the steps you take along the way. When looking through your data, you should have documentation including:

• policies and procedures for security and privacy,
• details on employee education and awareness programs, and
• evidence of disciplinary action taken on employees. 

Don’t limit your focus on the system that experienced the breach. If something went wrong in one system, it is highly likely the same thing can and will happen in another system. 

3. Notify the appropriate parties. 

Even though it is difficult, it is necessary that you notify all the appropriate parties of what has happened. While you might be worried about losing patient trust, patients prefer to know the truth. 

4. Manage the consequences.

After you’ve studied the causes of the breach and reported your findings to the appropriate parties, it is possible that you will be investigated and have to pay legal fees. Remember, HIPAA laws were created to protect the patient, not the practice. 

As previously mentioned, your relationship with your patients may suffer because of the breach. So, after you’ve taken appropriate measures to combat the breach and implement new security measures in your system, you must take steps to rebuild your patient relationships. If this situation was something outside of your control, explain this to your patients. Patients appreciate honesty and transparency. 

If you are struggling to handle the breach, reach out to legal counsel for assistance. There is no shame in asking for professional help.  

5. Don’t panic. 

Remember, you prepared for a breach, and you’ve done damage control. Sometimes things happen that you cannot prevent, and all you can do is react appropriately. Review what happened and make sure that you took all the proper measures to ensure the same thing does not happen again. 

As I listened to a healthcare data security webinar from a leading security vendor, I had to ask: “Are we now experiencing a ‘New Normal’ of complacency with healthcare breaches?” The speaker’s reply: “The only time we hear from healthcare stakeholders isAFTER they have been compromised.”

This did not surprise me. I have seen this trend across the board throughout the healthcare industry. The growing number of cyberattacks and breaches are further evidence there is a ‘New Normal’ of security acceptance — a culture of ‘it-is-what-it-is.’ After eye-popping headlines reveal household names were compromised, one would think security controls would be on the forefront of every healthcare action list. Why then are we seeing more reports on healthcare breaches, year after year? 

This idea comes from the fact that, due to a lack of enforcement, acceptable penalties, and a culture of risk mitigation, more breaches are to be expected in the healthcare industry. Until stricter enforcements and penalties are implemented, a continuation of breaches will occur throughout the industry.

The Office of Civil Rights (OCR), the agency overseeing HIPAA for Health and Human Services, originally scheduled security audits for HIPAA to begin in October 2014. Unfortunately, very few audits have occurred due to the agency being woefully understaffed for their mandate covering the healthcare industry, which accounts for more than 17 percent of the U.S. economy.

Why Sweat a Breach?

Last September, newly appointed OCR deputy director of health information privacy, Deven McGraw, announced the launching of random HIPAA audits. In 2016, it is expected 200 to 300 covered entities will experience a HIPAA audit, with at least 24 on-site audits anticipated. However, this anticipated figure only accounts for less than one percent of all covered entities —not much of an incentive for a CIO/CISO to request additional resources dedicated to cybersecurity.

Organizations within the industry are approaching cybersecurity from a cost/benefit perspective, rather than how this potentially affects the individual patients. For payers who have been compromised, where will their larger customers go anyway? Is it really worth a customer’s effort to lift-and-shift 30,000, 60,000 or 100,000 employee health plans to another payer in the state? This issue is similar to the financial services industry’s protocol when an individual’s credit card has been compromised and then replaced, or when individual’s want to close down a bank account due to poor service: Does anyone really want to go through the frustration with an unknown company?

For some of the more well-known breaches, class-action lawsuits can take years to adjudicate. By then, an individual’s protected health information (PHI) and personally identifiable information (PII) has already been shared on the cybercriminal underground market. In the meantime, customers receive their free two-year’s worth of personal security monitoring and protection. Problem solved. Right?

The Cost of Doing Business?

When violations occur, the penalties can sting, but it’s just considered part of the cost of doing business. In March 2012, Triple-S of Puerto Rico and the U.S. Virgin Islands, an independent licensee of the Blue Cross Blue Shield Association, agreed to a $3.5 million HIPAA settlement with HHS. In 2012, Blue Cross Blue Shield of Tennessee paid a $1.5 million fine to turn around and have another HIPAA violation in January 2015..

As of December 2015, the total number of data breaches for the year was 690, exposing 120 million records. However, organizations are unlikely to be penalized unless they fail to prove they have steps in place to prevent attacks. If an organization does not have a plan to respond to a lost or stolen laptop, OCR will possibly discover areas for fines, but this can be a difficult process. Essentially, accruing a fine after a cyberattack or breach is relative.

A more recent $750,000 fine in September 2015 with Cancer Care group was settled, but the occurrence happened in August of 2012 — nearly three years later. A 2010 breach reported by New York-Presbyterian Hospital and Columbia University wasn’t settled until 2014 for $4.8 million. Lahey Hospital and Medical Center’s 2011 violation was only settled in November 2015 for $850,000. With settlements taking place several years after an event, settling may appear to be a legitimate risk assessment, further reinforcing the ‘New Normal’ of cybersecurity acceptance.

At one HIMSS conference, the speaker emphasized to a Florida hospital the need to enforce security controls. They replied with, “If we had to put in to place the expected security controls, we would be out of business.”

Simply put: The risks of a breach and a related fine do not outweigh the perceived costs of enhancing security controls. For now, cybersecurity professionals may want to keep their cell phones next to the nightstand.