There have been a total of 804 large breaches of protected health information affecting more than 29.2 million patients since HITECH came out in 2009.
The findings of a new report from Redspin, Inc., show many healthcare organizations have been struggling to comply with HIPAA. The sheer number of large personal health information breaches in 2013 — the year saw a 138 percent increase — is perhaps all the evidence needed to back up that assertion.
How can you keep your organization from being one of the casualties of these HIPAA breaches?
[See also: 4-year long HIPAA breach uncovered.]
“At the end of the day, your ultimate goal is to get your employees to believe that patient health information is part of their responsibility, their civic duty, so to speak,” says Daniel Berger, president and CEO of Redspin in a recent interview. “They need to look beyond, ‘here’s our policy,’ to adopting a personal stake in keeping patients records secure."
You can dictate policies all you want, but employees will use their BYODs as they see fit, often not telling you if they download patients' personal health information on their own devices to take home. Usually it’s for a good purpose. They want to do a good thing and get caught up on their work, for example. Then they run into trouble, when their laptop gets stolen or lost.
[See also: 42K get HIPAA breach letters.]
"You’ve got to get employee buy-in; simple as that," Berger says of a breach-prevention culture. IT security is complicated, made even more so by the dynamic nature of technology and the ever challenging threat landscape. There is no silver bullet. It may be best to think of IT security as a chronic illness, a condition that requires ongoing treatment, testing, and re-evaluations. With security, the goal is not an outright cure but a lessening of symptoms, a lowering of risk, according to Berger.
This year's Redspin report also includes these other tips:
1. Conduct an annual HIPAA security risk analysis
This is your annual exam. Periodic risk analysis is a requirement of the HIPAA Security Rule anyway so you might as well plan it in advance and budget for it. When you consider all of the changes that take place year-over-year such as new system deployments, IT infrastructure enhancements, organizational restructuring, and employee turnover, it is certain that new vulnerabilities have arisen at the same time. At Redspin, we are fond of saying that while security assessments have a shelf life, they also have an expiration date.
Do not be fooled into thinking that a HIPAA security risk analysis need not be technical. It is not possible to assess security risk without identifying real vulnerabilities and developing a remediation plan to address them. That is like a physical exam without blood work!
2. Inoculate yourself by encrypting data-at-rest
Insist on encryption of data on all portable devices. This is our fourth annual Breach Report and encrypting laptops and other portable devices has been our top recommendation every year. From 2009 to present, the loss or theft of unencrypted portable devices have made up over a third of all large breach incidents and impacted over 50 percent of all health records put at risk.
We recognize that there are still significant hurdles to encryption – complex, often clumsy technology, budgetary constraints, and user-training needs. Employees resist it but extending the analogy; people resist needles too. As painful as it may be, it will not compare with the pain of a major breach incident due to a lost device chock full of PHI. The costs of forensics, reparations, attorney’s fees, an OCR investigation / civil penalty, potential class action lawsuits, and negative publicity can easily run into millions of dollars.
3. Conduct more frequent vulnerability assessments and penetration testing
The threat from malicious outsiders – hackers – has the potential to wreak havoc on the healthcare industry. While there have not been widespread occurrences, there can be no room for complacency. Just consider that 12th largest breach of all time was the 2012 hacking incident at the Utah Department of Health (780,000 patient records).
In our opinion, hacker attacks are likely to increase in frequency over the next few years. Personal health records are high value targets for cybercriminals as they can be exploited for identify theft, insurance fraud, stolen prescriptions, and dangerous hoaxes. In addition, many health providers process and store credit card information.
To combat this threat, we recommend ongoing vulnerability scanning and remediation. Implement a monthly or quarterly test schedule so that you can compare results and see what you have fixed, what you have not, and what new vulnerabilities may have arisen. If you do not have the resources to do this yourself, Redspin can put you on an auto-scheduled service to do it for you. And consider external and internal penetration testing. These types of tests more closely mimic the paths of malicious attackers and can often expose inter-related weaknesses that would be beyond the scope of typical vulnerability assessments.
4. Invest in the security awareness of your workforce
The lack of security awareness among your employees is your overall biggest risk and the hardest of remediation. But every dollar spent on educating your employees on IT security is an investment in your organizations future success. The task goes well beyond PowerPoint presentations. You need to engage all of your employees in building a culture of security through a process of frequent and engaging security awareness training, of internal training, daily reminders, and visual workplace cues.
Situational training is a must – run social engineering tests (phishing, pre-text phone calls). Reward success. Track what people do in specific situations (good and bad) and integrate that info back into the training. Implement hotlines, place posters on walls, screen-saver reminders, and monthly tips. Redspin, among other firms, can help build and customize an effective program for you.
5. Engage with your business associates
The responsibility of PHI security now officially extends outside the organization. The Omnibus rule legally extends compliance with HIPAA security provisions and direct civil liability for breach to business associates and their vendors. That said, covered entities still retain their obligation to ensure that its business associates are safeguarding PHI effectively.
This story was first published in our sister publication Government Health IT.