Brookings calls out OCR on HIPAA audits, offers security tips for healthcare organizations
With the healthcare industry suddenly accounting for nearly 25 percent of all data breaches, a new study from The Brookings Institution suggests some new cybersecurity strategies are needed.
Niam Yaraghi, a Brookings fellow, conducted in-depth interviews with 22 healthcare organizations – providers, payers and business associates – that had each experienced at least one data breach.
He found some things in common across them, and some differences. But his biggest takeaway was that guidance and enforcement from the federal government isn't doing enough to keep patient data safe, and that a more concerted private-sector strategy is needed to help ensure security best practices.
In his report, "Hackers, phishers, and disappearing thumb drives: Lessons learned from major healthcare data breaches," Yaraghi offered a series of suggestions for both the HHS Office of Civil Rights and those working in the healthcare trenches.
"Consider a simple office visit," he said. "In addition to the physician who sees the patient, it may involve an independent entity that facilitates the scheduling of the visit, an electronic medical records vendor that provides software and cloud storage for saving the doctor’s notes, a health information exchange platform that shares this data with other physicians, another party that creates the bill, the insurance company that pays for it, and sometimes a collecting agency that manages the patient’s late payments."
That scale and complexity has left healthcare "uniquely vulnerable to privacy breaches."
A host of other factors, from the value of detailed patient medical records – containing both medical and financial data – to hospitals' historic ill-preparedness, has led to healthcare earning the dubious distinction of being hackers' new favorite target.
"Government incentives led healthcare organizations to adopt electronic health records without being ready to adequately invest in security technologies," said Yaraghi. "Privacy breaches used to have little to no effect on the revenue stream of healthcare organizations, and thus, they did not have strong economic incentives to invest in digital security and patient privacy."
That's all changed now, of course: 23 percent of all data breaches happen in the healthcare industry, according to Brookings. Over the past six years, health records of more than 155 million Americans have potentially been exposed in whopping 1,500 separate breaches – the per-record cost of which is $363, the highest of all industries.
The government isn't always helpful when it comes to addressing this all too vexing problem, the Brookings report argues.
While HIPAA "is clear about the requirement to protect health data," for instance, "it does not specify how to do so and is open to interpretation," Yaraghi said. "HIPAA is also outdated and falls short of addressing modern cybersecurity challenges."
After a breach happens, meanwhile, OCR initiates audits. "While one does not expect the organizations that were audited to have a positive view about OCR, most of them mentioned that the process is very punitive and contributes to organizations’ reluctance to share the details of breaches with peers," he added. "Furthermore, audits usually take more than two years and organizations incur significant legal fees during the process."
As a potential way forward, Yaraghi offered some pointed suggestions to both the healthcare industry and the government.
First and most obvious, health organizations must prioritize patient privacy.
"In many of the interviewed organizations, privacy breaches could have been prevented had the organization spent enough on security technologies or diligently implemented and followed privacy policies," he said. "Healthcare organizations now have access to both the knowledge and technology that is required to ensure the privacy of their patients, and thus should use these resources to their fullest potential."
He emphasized the acute need for better communication: "Information sharing about security technologies, privacy policies, and breach incidents should take place among healthcare organizations and also between healthcare organizations and federal agencies," Yaraghi said.
And he touted the value of cyber insurance – not just as a protective mechanism for individual organizations, but as lever to help drive improvements in security practices industry-wide.
Such an insurance market could "fundamentally improve how patient privacy is viewed and managed in the healthcare sector," he said. "To underwrite the privacy risk of healthcare organizations, cyber insurance companies will be willing and able to conduct timely and efficient audits and proactively manage their clients’ privacy protection efforts. Healthcare organizations will also have a direct economic incentive to reduce their cyber insurance premiums by addressing their security weaknesses and preventing privacy breaches."
Sign up for the Healthcare IT News Privacy & Security Update newsletter.
Meanwhile, Yaraghi had two key recommendations to the Office for Civil Rights.
First, it should better communicate the details of breach incident audits, he said.
"After a breach happens, OCR conducts a thorough investigation to identify its causes. Through these audits, OCR also ensures that the victim organization has put corrective and preventive policies in place to avoid future incidents. Although the lessons learned from each breach can prevent other similar incidents, OCR does not share the details of its investigations. OCR should provide detailed reports on how each breach happened, and how other healthcare organizations can avoid similar occurrences."
Also, the government should get more specific about HIPAA – ideally establishing a "universal HIPAA certification system," said Yaraghi.
"OCR should prevent more than it punishes," he said. "Although the audits that happen after a breach effectively reduce the chances of second incidents, they cannot prevent privacy breaches in the first place. Random audits that take place before a breach occurs will be helpful in preventing one. These random audits are currently conducted very rarely. OCR should accredit certification agencies that can conduct preventive audits in accordance with OCR standards and certify the compliant organizations."