And yet, in recent weeks, news stories abound of healthcare information security breaches, some relatively small, some massive.
Security experts say the spate of bad news does not reflect a fundamental change in the status quo, but rather the real state of security—or lack thereof—in the healthcare industry. Gregory Veltri, chief information officer at Denver Health, who moved to healthcare from banking in 1997, described his transition. “When I found out there was really no standards for security in healthcare, I nearly had a heart attack,” Veltri said. “You couldn't run a business like that.”
Yet, Michael “Mac” McMillan, CEO and co-founder of the Austin, Texas, healthcare information security firm CynergisTek, said that despite all of the recent breach cases making headlines, “We probably don't have more breaches today than we had six months ago.”
What's different, McMillan said, is that a new federal breach notification law, backed up by increased penalties for violations, “has shone a bright light” on the industry's security woes. Since Sept. 23, when the rule went into effect, if a breach involves more than 500 individuals' records, “they have to notify not just HHS, but all the local media. The reason you're seeing the firestorm is that now they have to admit it. When they call up the local newspaper and say they've lost 30,000 records, the local paper is quite happy to print that. Those of us who work in the field know it's been going on all along, but now they have to fess up.”
Lisa Gallagher, senior director of privacy and security at the Healthcare Information and Management Systems Society, presented results of a survey at an HHS-sponsored advisory panel on standards in November. Fifty-two percent of large hospitals, 33% of mid-sized hospitals and 25% of small hospitals surveyed reported experiencing a data breach in the past year.
Spending on security—or the paucity thereof—was a serious issue with many of the IT professionals surveyed. A sizable majority of all respondents (60%) spent less than 3% of their IT budgets on security. That percentage hadn't changed from last year's survey, Gallagher said. Meanwhile, 67% of organizations surveyed encrypt data when it is moved, but 44% when it is stored.
According to Gallagher and McMillan, encryption and basic security process auditing would have gone a long way toward mitigating, if not eliminating, the breach problems experienced by organizations whose breaches made headlines in the past couple of months. “Some policy was missing with regards to how hard drives are handled or people were not following those policies,” Gallagher said. “If they had taken the time to do a risk analysis they would have found these vulnerabilities. These are not hard; they are not costly.”
“The thing they are probably not doing is to make sure their employees are actually following the policies in place,” she said. “They don't know people are not doing it because they don't audit their actual practices.”
Gallagher said she'd like to see the federal government provide help in educating data handlers about security best practices as part of its IT support initiatives funded under the stimulus law. “If we're going to put money into this sector, we need to be able to be successful with security,” Gallagher said. “For me, the education of how to do an on-going risk assessment, how to incorporate that into your business practices, that would be the single thing to do.”
Veltri said Denver Health's central data center is not encrypted, but every laptop in his organization is. If a user mistypes the password three consecutive times, the software wipes the hard drive clean. Out of an IT operating budget of $27 million, $2 million goes for security, and security products account for 1/13th of his IT capital budget, he said.
Susan McAndrew, the deputy director for health information privacy at HHS' Office for Civil Rights, said the twin requirements of public breach notification and increased penalties for HIPAA violations under the new stimulus law—penalties range from $100 to $50,000 per violation, capped at $1.5 million per year—are working.
“I think it is simply attributed to the fact that the breach notification requirement is actually having its desired effect, which is to push these kinds of incidents into the public eye,” McAndrew said. The bad publicity, she said, “will give them an additional incentive to try to avoid these in the future. They don't want to risk a fine for not reporting them, so they do make the notifications that are required.”
From April 14, 2003, the effective date of the HIPAA privacy rule, through Oct. 31, 2009, HHS' Office for Civil Rights, has received 47,632 privacy complaints. Of them, more than 20,300 cases implicated the privacy rule. The Civil Rights Office took over July 31 for the CMS as the enforcement authority for the HIPAA security rule. At that point the CMS investigated 428 security complaints, of which 55 required a so-called HIPAA “covered entity” to come up with a corrective action plan and fix its deficiencies.
But McAndrew said the aim of her office is to achieve compliance, not to impose penalties, and emphasize negotiated enforcement. She confirmed that neither HHS nor the CMS have issued a single civil monetary penalty for violations of either the HIPAA privacy or security rule. McAndrew cites two settlement agreements reached by her office as cases in which it has used money as an enforcement tool: one jointly with the Federal Trade Commission in February for $2.25 million against CVS Caremark Corp.; and one with her office in 2008 for $100,000 against Providence Health & Services, Seattle.
The stimulus law also requires HHS to maintain a public list of breach notifications for events in which records for more than 500 people were involved. McAndrew said she hopes to have the breach reports, which now number about a dozen, posted online sometime in January.
What do you think? Write us with your comments at [email protected]. Please include your name, title and hometown.