But enforcement has done little to thwart the nationwide hacking of medical records, particularly those gushing into the computers of cybercriminals and/or hacking hobbyists.
According to a Modern Healthcare analysis of the “wall of shame” website kept by the civil rights office since September 2009, there have been 1,314 breaches involving at least 500 individual patients' healthcare records reported to HHS. Of them, only 16% of the reported breaches have involved some form of hacking incident, but those cyber incidents have been the most severe of all breaches. Hacks account for 125 million individuals' records being breached, 81.5% of the total 153.4 million records exposed by all causes and reported to the list.
In addition to a CISO, HIMSS has two other items on its “call to action” wish list.
It asks that the healthcare industry adopt a voluntary, national cybersecurity framework of “guidelines, best practices, methodologies, procedures and processes.” HIMSS is also calling for HHS to work with the healthcare industry to address the chronic shortage of qualified cybersecurity personnel.
Healthcare security consultant Michael McMillan agreed with the HIMSS recommendations across the board, adding it is imperative that the industry come together around a common approach to data security.
“We will never build a trusted environment until we have standards we can all recognize and count on,” said McMillan, the CEO of co-founder of CynergisTek, an Austin, Tex.-based security firm. “Healthcare is one of the last industries to adopt a recognized cyber security framework and the question should be 'why?'”
A national CISO should play a due role, not only having responsibility for promoting cyber security readiness throughout HHS itself, but also seeing to industry preparedness as well, McMillan said.
Congress should also promote incentives for universities to offer cyber security programs, add cybersecurity courses to medical school and hospital administrator program and help individuals wanting to go back to school and specialize in cybersecurity, he said.
But privacy expert Dr. Deborah Peel took issue with a cyber security framework siloed in the healthcare industry.
“We need tough standards across the board,” said Peel, the founding of the Patient Privacy Rights Foundation. And, she said, “The standards should never be voluntary. They have to be required. If you want to hold data in these large databases, you have to prove you've met the standards,” with interim inspections and security audits required, she said.
Peel said the most effective way to protect individuals' healthcare data is a so-called distributed system.
“The information stays where it's created, period,” Peel said, with data aggregation, storage and release performed by the individual. “That's one of the most effective cyber security defenses,” she said. “It's too hard to break into 320 million different places to get information.”