More is not necessarily merrier when it comes to health information technology, as this year's plague of hacking incidents demonstrates.
Health IT systems are becoming more like Christmas trees powered by the internet of things and a drive to connect patients to their medical data through mobile devices, apps and portals.
This week, lab giant Quest Diagnostics reported a healthcare data breach involving about 34,000 individuals' records. The weak link, Quest reported, was its web-based MyQuest patient portal.
“The patients themselves are not typically the threat," said Kevin Hyde, managing director of consulting firm Layer 8 Security. "The way a lot of applications are built is they're pieced together. There are relationships between vendors.” And those relationships can sometimes leave openings for hackers, Hyde said.
“The more vendors you have, the more risk you have,” he said.
Quest developed its portal as part of its Care 360 cloud-based electronic health record, according to spokeswoman Kim Gorode. The Madison, N.J.-based company is remaining tight-lipped about details of the breach—discovered Nov. 26—which is still being investigated.
But it was the company's portal, not its web-based EHR used by physicians, that was compromised, Gorode said.
In situations where many vendors are involved, vulnerabilities occur.
Last year, 1.5 million liability insurance claim records were downloaded by a computer hobbyist in Texas from a popular, commercial data storage site. The records were from the insurance departments at various government agencies that had contracted with a California company to provide them with web-based software to handle claims administration.
The agencies affected said they had no idea their data was being housed in a third-party data warehouse with inadequate access protection.
The incident was something of the poster child for breaches involving a chain of vendors, some unknown to the HIPAA-covered entity that contracted with the first vendor in the chain.
Through November, there have been more than 1,300 breaches reported to the federal government. Those breaches exposed more than 152 million individuals' records. So far this year, a record 92 breaches have been reported as the result of hacking. Those incidents exposed more than 12 million individuals' records.
To manage the increased risk from multiple moving parts, healthcare organizations should have a cyber-risk management plan in place and have legal agreements with vendors and insurance in place to cover any incidents, Hyde said.
Traditionally, health IT vendor contracts are stacked in favor of the vendors, including who's liable for data breaches. Such imbalances of power put the vendors' smaller clients in a relatively weak position when it came to negotiating protections for data security.
But updates to HIPAA that required public breach notifications also placed IT contractors under equal legal liability—including monetary and criminal penalties—for breaches of patient data their handling on behalf of their client hospitals, physicians, insurance companies and claims clearinghouses.
Earlier this year, HHS' Office for Civil Rights said it would begin a second round of congressionally mandated audits of healthcare organizations for compliance with HIPAA privacy, security and breach notification rules and that some of those audits will focus on IT vendors—so-called business associates—of HIPAA-covered entities. Some healthcare lawyers believe the combination of the HIPAA changes and the impending audits should strengthen providers' stance in negotiating better data security provisions within vendor contracts.
Last month, healthcare IT leaders called on HHS to appoint a national chief information security officer to elevate the posture of data security within health organizations across the nation. That national CISO could write contract guidelines to ensure security issues and liabilities are properly addressed.
Hyde, a former U.S. Marine Corps intelligence officer who had worked for the National Security Agency, also warned against being satisfied with simply meeting federal privacy standards.
“HIPAA is a minimum standard,” Hyde said. “It should not be a security standard you aspire to.”
Hyde advises clients to comply with the cybersecurity framework developed by the National Institute of Standards and Technology, which he says has a lot of depth.