Healthcare is among the most heavily regulated industries and among the most difficult to manage in the context of IT. Not only must healthcare organizations protect the enormous volumes of highly sensitive and confidential data that flows through their networks, they must deal with managing threats that can enter an organization from a large number of ingress points: email sent between healthcare organizations and their business partners, employee use of the Web, social media, and Wi-Fi networks that are intended for staff and patient use. Moreover, healthcare organizations and their network of partners must comply with a growing set of burdensome and onerous regulations, all with the knowledge that even simple mistakes can result in painful and far-reaching consequences.
KEY REGULATIONS THAT GOVERN HEALTHCARE
There are a large number of regulations that govern healthcare in the United States. HIPAA is one of the most serious such regulations faced by healthcare-related organizations because of its significant impacts on not only healthcare providers, but insurance companies, benefits administrators, attorneys and other organizations that manage healthcare information.
HIPAA created a number of standards for the protection of patient privacy rights, including controls on how sensitive healthcare information is accessed and disclosed. Although HIPAA was enacted in 1996, it was considered a poorly enforced requirement until 2009. However, the Health Information Technology for Economic and Clinical Health (HITECH) Act, as well as the HIPAA Omnibus Rule that became effective as of late March 2013, dramatically increased both the scope of HIPAA and the consequences for breaking its rules.
Important parts of HIPAA, as well as other statutes, include the following:
- HIPAA Security Rule
The focus of the HIPAA Security Rule according to Health and Human Services is “to protect individuals’ electronic personal health information that is created, received, used, or maintained by a Covered Entity. The Security Rule requires healthcare organizations to implement appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic Protected Health Information (PHI).”
- HIPAA Privacy Rule
The Privacy Rule is designed to protect individuals’ medical records and other sensitive information that a healthcare organization may possess or manage. Much of the focus of the Privacy Rule is on the management and protection of information in electronic form.
- Covered Entities
A Covered Entity is any organization – including hospitals, clinics, clearinghouses, insurance companies, doctor’s office, etc. – that handles either Personal Health Records (PHR) or Personal Health Information (PHI). HIPAA requires Covered Entities to follow all HIPAA and HITECH requirements for protecting this content from accidental disclosure and other violations.
- Business Associates
A Business Associate is any organization, such a cloud provider, benefits administrator or CPA, with which a Covered Entity does business and shares patient records or PHI. The HIPAA Privacy Rule permits a Covered Entity to share this content with a Business Associate as long as the latter can provide proper assurances that sensitive patient information will be protected, and that it will help the Covered Entity to maintain compliance with the Privacy Rule.
A key element of the Business Associate relationship is the Business Associate Agreement (BAA), a contract between a Covered Entity and a Business Associate intended to protect PHI. BAAs went into effect in February 2010 and require Business Associates to comply with the HIPPA Privacy and Security Rules for protecting PHI. An important part of a BAA is the process that the BAA will use to address and correct a data breach, including data breaches that are the fault of subcontractors used by the Business Associate.
WHAT COULD GO WRONG?
There have been several events that have generated penalties under HIPAA, as well as other violations for which a penalty has not yet been determined. Here are some examples:
- Phoenix Cardiac Surgery generated several HIPAA violations, including some of their doctors emailing one another from unprotected personal accounts. The result was a $100,000 fine and a requirement to adhere to a Corrective Action Plan for one year.
- Idaho State University will pay a $400,000 penalty because the university’s Pocatello Family Medicine Clinic disabled a firewall and might have exposed records for 17,500 patients.
- Lutheran Social Services of South Central Pennsylvania in York, PA experienced ingress of malware that might have exposed sensitive data on 7,300 patients.
- A hacker was able to exploit a security flaw on the Web site of Presbyterian Anesthesia Associates in Charlotte, NC, thereby exposing the credit card numbers, identities, contact information and other information for nearly 10,000 patients.
- Regional Medical Center in Memphis, TN sent three unencrypted emails to one or more organizations in late 2012 and early 2013 that contained information about 1,200 patients of the organization.
- A single employee at Hope Hospice in New Braunfels, TX sent sensitive patient information using an unencrypted email account in December 2012 and again in February 2013, exposing PHI for 818 patients of the hospice.
IT IN HEALTHCARE IS FRAUGHT WITH RISK
So, anyone dealing with IT in the healthcare space faces two significant risks:
- Sensitive and confidential data can leak out of healthcare organizations or any of their partners that manages sensitive information.
- Malware could enter an organization through any of a number of different venues.
Osterman Research is currently conducting a survey to determine the level of risk that healthcare-related organizations face from these issues. What we found reveals some serious problems:
- We discovered that a significant proportion of healthcare-related organizations has deployed within its corporate network Dropbox, Google Drive and Microsoft OneDrive (Skydrive). While these products work very well, they are often managed by employees and not the IT department, and so represent a way for content to be sent independently of corporate policies that are designed to stop PHI from being sent, or at least encrypt it before it leaves the network.
- We found that one out of five healthcare-focused organizations has not established any sort of anti-spam, anti-virus, data leak prevention (DLP), encryption or related standards for organizations with which they have or will have Business Associate Agreements. This is another serious problem, since these standards must be established if electronic information is to be shared safely across an extranet of business partners.
- We also found that more than one-third of healthcare-related organizations has not deployed a DLP solution that will monitor outbound email for potential HIPAA/HITECH violations. Another serious issue given the potential – and reality – of this problem as noted in the examples above.
- On the plus side, many organizations are giving us a rather honest self-assessment of where they think they stand with regard to security. For example, when asked to rate themselves on a scale of 1 (poor) to 5 (excellent) on how well their organization manages security for spam and malware protection, 43% of healthcare-related organizations rated themselves “3” or lower. Similarly, 41% rated themselves “3” or lower for preventing data leaks, and 45% did so with regard to managing secure file-sharing.
The good news is that healthcare-related organizations are taking proactive steps to address these problems. For example, 63% of those we surveyed will give a high or very high priority to investing in anti-spam and anti-malware systems over the next 12 months, while 71% will place this high a priority on preventing data leaks.
These issues are important for any organization, but perhaps no more critical than in the healthcare industry given the severe penalties that can result from even fairly minor missteps.
We will keep you posted on our survey results and update you shortly.