The theft of 4.5 million medical records by Chinese hackers recently, coupled with the news that as-yet unidentified hackers were able to penetrate the U.S. government’s health care portal, have stirred consumer concerns about the safety of health care records—and rightly so.
No patient should have to worry that his or her protected health information (PHI) may fall into the hands of thieves.
medical industry experiences more security breaches than any other U.S. industry today, serving to undermine public confidence in electronic health records and the industry at large. Last year alone, more than 7 million patient health records were breached, up 138 percent over the previous year, according to a February report by IT security consultant Redspin. Theft or loss of unencrypted portable computing devices (i.e., laptops) or digital media containing PHI was the leading cause of PHI data breach, impacting 83 percent of records breached. Unauthorized access and hacking incidents impacted less than 7 percent of records breached.
It’s reassuring to see the industry break new ground in studying security flaws and addressing vulnerabilities. For example, the Health Information Trust Alliance (HITRUST) teamed with the Department of Health and Human Services (DHHS) last spring to lead CyberRX, a series of no cost, industry-wide exercises designed to simulate cyber attacks on participating health care organizations and help them identify weaknesses in preparedness. Two important findings emerged:
- Organizations that participate in cyber exercises are better prepared for a cyber attack, regardless of the maturity and comprehensiveness of their information security program.
- More preparation exercises like CyberRX would benefit health organizations by helping them to evaluate their programs, refine policies and procedures, and develop and implement effective communications among internal departments, the industry at-large, and government.
Industry programs like CyberRX enhance awareness of cyber threats and their systemic risk to the health care system, promote industry cooperation in exploring vulnerabilities and responses, and encourage information sharing among health care organizations and government. Next month, HITRUST and DHHS will launch a sequel program, CyberRX 2.0, with an expanded scope covering local, regional and national levels.
But while the healthcare industry is stepping up efforts to combat security breaches, more meaningful change also needs to occur at the organizational level. If the threat of a damaged reputation and bad press associated with a breach are not incentive enough, the new HIPAA rules established last year, and the mega fines that they carry, should be (not to mention the extraordinary costs that may be required to fix a problem). Every health care organization – from providers to payers – will need to go the extra mile to safeguard their PHI and maintain HIPAA/HITECH compliance. They’ll also need to keep their Business Associates (BAs) on the hook to support them.
How can healthcare organizations safeguard their IT infrastructure and prevent PHI breaches? That’s the question I’m most often asked.
Network security flaws and IT struggles with HIPAA/HITECH compliance should not become your business’ Achilles heel. Become proactive. Prevent PHI breaches by probing your IT infrastructure for vulnerabilities, establishing critical processes and developing a clear understanding of how to avoid potential HIPAA compliance disasters. Here are five tips:
Conduct an annual risk assessment. Plan and budget for HIPAA risk analyses, which are a HIPAA Security Rule requirement. If you don’t already work with an unbiased, fully independent auditing team, which typically includes certified engineers and compliance experts, then engage one. A risk assessment is a sensible approach to identifying the multiple risks to your organization and addressing any network security vulnerabilities. They’re designed to give you the education, expertise, support and protection that you need to protect PHI, pass your audits, and maintain a continuously HIPAA-compliant in-house environment.
Conduct frequent penetration testing and vulnerability scans. Network penetration testing and vulnerability scans are intrinsic to most companies’ security strategy. They uncover critical vulnerabilities and illustrate how well your network and data are protected. Ask your auditors or compliance experts to perform monthly or quarterly tests. Get a full report on external, internal and web application testing, as well as strategies for remediation?
Ensure application security. A good auditor or compliance team can help you with this too. Secure the design, development and deployment of your web-facing applications by assessing thoroughly any vulnerabilities and addressing any design flaws or security gaps that threaten security and compliance. Managing and remediating risks now will save time and money later.
Educate employees about security and HIPAA. Frequent HIPAA security awareness trainings and daily reminders throughout the workplace will help reduce violations. Ask your auditor or compliance team how to ensure that the training is situational and fully engaging and how to customize a workplace awareness program for your organization.
Review your Business Associate Agreements (BAAs). Do this regularly and update them as needed. Your BAA is not just a piece of paper that you read only when a problem arises. You should understand what you have signed. An appropriate and effective BAA is a policy that is highly specific to the data that your BA is protecting and/or has access to and the services that the BA is rendering. Remember that, under the new HIPAA rules, your exposure to penalties is increased. You are responsible for protecting your PHI and ensuring that all of your BAs are also compliant.
Given the diversity and volume of growing threats, securing your organization has never been more important. While these tips address an IT infrastructure broadly, it’s also worth attending to more granular aspects of your IT such as data and hardware encryption, implementing a backup and disaster recovery plan, securing portable devices and establishing a policy for their use, creating subnet wireless networks (to divide PHI and guest data), and identifying experienced legal counsel to represent you in the event of a breach. Ask your auditor or compliance team for help in these areas too.
Jay Atkinson is CEO of AIS Network.