Blog: Slipshod approach to security should concern IT leaders

A million and a half dollars here, a million and a half dollars there, and pretty soon, you're talking real money—even in the healthcare industry.

The Office for Civil Rights at HHS on Monday announced a settlement agreement for $1.5 million with a venerable Massachusetts healthcare organization, Boston-based Massachusetts Eye and Ear Infirmary and its affiliated medical group, Massachusetts Eye and Ear Associates, over alleged HIPAA security-rule violations. They involve the reported theft of an unencrypted laptop bearing the records of 3,621 individual patients back in 2010.

I did a quick check of the OCR's "wall of shame" website and found MEEI was getting whacked on its second trip to the rodeo.

The privacy and security enforcers at the OCR, after a long, long period of quiescence, appear to be stepping up their enforcement efforts and availing themselves of the stiffer penalties that Congress provided in the American Recovery and Reinvestment Act's revisions to the Health Insurance Portability and Accountability Act's privacy and security rules.

And while the OCR is allowing MEEI to pay the fine on the installment plan, even $500,000 a year is a lot of money—a point not lost on MEEI itself.

In a statement, MEEI said that because no one appears to have been harmed, it was "disappointed with the size of the fine, especially since the independent specialty hospital's annual revenue is very small compared to other much larger institutions that have received smaller fines."

I'll bet.

But it's hard to know what the government was supposed to do other than to take out its proverbial 2x4 and start whacking to get the healthcare industry's attention.

The HIPAA privacy rule was implemented nearly 12 years ago, the security rule more than eight years ago.

Since September 2009, under the ARRA, providers have reported tens of thousands of breaches to the OCR, which is obliged by Congress to publish online only those involving 500 or more victims. The idea was to shame the industry into compliance. But shame hasn't worked.

So far, 490 breaches have made the wall of shame. Combined, they've exposed the private information of more than 21 million people. At least 124 of those breaches have involved laptop computers and other portable devices, a problem that could be addressed with good policies and encryption.

Of the 490 breaches, 110 have been reported this year—hence the need for application of heavy lumber.

So far, taxpayers have shelled out more than $6 billion in direct incentive payments to providers for health IT, and a real worry should be that if this slipshod approach to their privacy and security continues, patients will rebel against having their records stored electronically.

I believe the chances are slim that such a rebellion will happen, but with an estimated $27 billion to be paid out under the life of the incentive program, even a slim chance is too big of a chance to take.