Why Compliance and Security Are Still Lacking
A number of healthcare data breaches
have made the news of late, particularly involving large insurance companies
and data clearinghouses. As the media portrays the situation, our private
health information is leaking to the outside world at an alarming rate. Based
on Bitsite's recently-released Third Annual Industry Benchmark Report, we should
not be surprised. Based on the Bitsight report, the healthcare industry is near
worst in overall security, with only education below them.
The data available prompts one big
question – why is the security of our most personal data so poor? By
comparison, security in the financial industry (best in the Bitsight report) is
well addressed, with significant guidance and oversight being provided by PCI,
GLBA and other bodies of regulations. The
healthcare world has HIPAA, which admittedly, as security standards go, is
fairly weak. That being said, it does not appear that it is being followed
well.
In her article Why are healthcare data breaches so common?,
author Stephanie Tayengco suggests 5 reasons why 91 percent of healthcare
organizations reported at least one breach over the last year:
- Systems are old and complex
- Health IT is 95 percent manual work
- Disjointed monitoring
- "We’re already HIPAA compliant”
- Health data is valuable
I tend to work with smaller
healthcare organizations, the front lines of the healthcare cyberwar. They have
less data than the big guys, but are usually much easier to hack. While
Tayengco's list is quite appropriate for the industry as a whole, I see a somewhat
different story in the niche I work with:
Transition
to EMR without considering security
Many smaller practices are adopting
electronic medical record (EMR) systems. This is prompted partly by financial
incentives available under the HITECH Act, and partly because an EMR system is
seen as a pathway to HIPAA compliance. In most cases, practices are selecting
“HIPAA compliant software,” thinking that the selection constitutes their
compliance and as a result resolves their security issues. Sadly, this is a
myth often spread by software companies as a sales tool. Compliance impacts the
totality of a practice, not just the software used.
HIPAA is a complex standard, and not
documented in a way that folks in medical practices can easily comprehend the
requirements. As such, I have observed that a practice will buy something that
claims HIPAA compliance, be it a secure email system, an encrypted storage
system, etc, and assume that the purchase makes them compliant, and therefore
secure. Again, HIPAA applies to the totality of a practice. It cannot be met by
the purchase of a single product, no matter what the sales person said.
No monitoring
Tayengco is exactly correct in her
point about disjointed monitoring, but again, that applies to the larger
organizations. What I see in smaller practices is the complete lack of
monitoring. These folks generally have no idea how to even open a log file, let
alone review it. They often assume that their IT provider is handling it for
them, which is usually not the case. Their network may be under attack, and
they don’t even know it.
Ignoring
paper records
While adoption of EMR by smaller
practices has been strong, paper records almost always remain. This may result
from the decision not to add archival paper records to the EMR system, or
because they serve as a bit of a security blanket. Whatever the reason, they
often sit in unlocked file cabinets with no controls in place, leaving them
open to insider threats.
Lack
of basic network protection
In my experience, smaller practices
are not much different from small business in general with their adoption of
basic security controls like firewalls, strong wireless systems and data
encryption. I rarely see these practices properly adopted in any small
business, medical or otherwise.
No
training or policies
Have you ever tried to put together
a bike for one of your kids at Christmas without the instructions? Unless you
happen to be an engineer, attempting this will result in a string of
expletives, and a disappointed kid. In the HIPAA world, we seem to expect staff
members to fill their roles in the compliance effort without understanding what
they are, or having the necessary basic training or skills to pull it off. We
would not think of putting a medical office employee with a patient without the
necessary technical training, so why is compliance different?
I
am just too small for anyone to mess with
This may be the most common excuse I
hear in small practices, and small businesses in general. Those in smaller
groups consider themselves invisible as compared to Anthem, Blue Cross, or a
large hospital. They miss the fact that they are usually easy to breach, and
readily found on the Internet. If they use Comcast as their internet provider
for example, their business information is likely on the Comcast
website as a public hot spot.
Unfortunately, while data breaches
involving the big players usually become known reasonably quickly, patient data
may be leaking from the smaller practices without anyone ever knowing. Once
patient data hits the black market, we may never know its source. This makes
the lack of security at smaller practices very dangerous.
Addressing
compliance and security
If you are reading this as a member
of such a practice, here are the steps you should begin to take immediately to
address compliance and security:
- Understand HIPAA requirements, and formulate a
compliance plan
- Implement essential security practices on your network
- Training your employees, and give them policies and procedures to follow
- Monitor your systems and logs for evidence of
issues
If the above seems a bit
overwhelming, there are many organization's available to help. If you are
reluctant to spend the money for such help, keep in mind that you would never
consider fixing your X-Ray machine yourself. If you don't have the time or expertise
for HIPAA/security, hire someone who does.
Bottom line – as a small practice,
you are not invisible. Rather, you are the front line of the battle. Recognize
that you are at war with those who would steal patient data, and begin fighting
back.
Sources: HCSI, http://www.computerworld.com - Author: Robert C. Covington, http://www.infosecurity-magazine.com/ - Author: Tara Seals
visit our website at http://www.hcsiinc.com or post a question on our LinkedIn group at: http://bit.ly/1FWmtq6