At a Glance
- The HITECH Act is holding providers accountable for data security and breach notification.
- Investment in technology costs healthcare organizations far less than fines for noncompliance.
- Healthcare organizations should conduct risk analysis of their enterprise regularly.
- Organizations can take steps to mitigate their security risk.
New rules governing data security and breaches are more prescriptive than the HIPAA rules, and the government is stepping up enforcement.
The Health Information Technology for Economic and Clinical Health Act (HITECH) has raised the bar for healthcare entities and their business associates. Increased risks and the potential for higher costs accompany this new paradigm.
HITECH was enacted as part of the American Recovery and Reinvestment Act of 2009 to promote the adoption and meaningful use of health IT. Whereas the Health Insurance Portability and Accountability Act (HIPAA) requirements were considered vague, the HITECH rules are being written much more prescriptively to eliminate some of that ambiguity, while preserving flexibility in approach, technology, and implementation. As of this writing, not all HITECH rules have been finalized. The Office for Civil Rights (OCR) had announced that several rules would be issued this year, although the agency would not commit to a date. The agency now is being pressured to issue several of these rules on or before Dec. 31, 2011. These rules include revisions to the HIPAA security rule, the final breach notification rule, and the final enforcement rule. The notice of proposed rulemaking on accounting for disclosures was issued in May only to be soundly rebuked by just about everyone in the industry and the Congress. Originally due by the end of year, this rule is likely to receive an extension to allow more time to work on specifics.
Notably, an interim final regulation on breach notification was published in 2009 and remains in effect. In addition to breach notification rules concerning enforcement, meaningful use and electronic health record (EHR) certification criteria and standards have been released. Still others are yet to come.
These regulatory changes are occurring while healthcare organizations are also dealing with increased regulation around substance abuse and mental health patient information, health information exchanges, and ICD-10 rules. To say the least, healthcare organizations have their hands full.
In addition, there has been an unprecedented rise in malicious code attacks, increases in all types of identity theft, and continuing insider abuse of privilege. The healthcare industry has certainly felt the impact of all of this threat activity. In 2010, the industry reported 221 major breaches and more than 30,000 smaller breaches. The actual number of breaches is, in all likelihood, much larger. As of this article's publication date, more than 330 major breach incidents have been reported, including the largest to date involving 4.9 million records-another incident involving a business associate mishandling a covered entities data. The number of individual records affected has soared more than 10 million in less than two years.
The main causes of security breaches are poor data management, lack of appropriate controls, and insider abuse of privilege. Analysis of past breach events reinforces these factors as the primary and repeated causes responsible for most data losses. These causes are amplified by the continuing growth and complexity of the IT environment and the growing need to share information with an expanding care community. The result is the need for greater information awareness and tighter controls. The cost of putting security controls in place is far less than the costs associated with a breach or operating without the right tools and technologies.
Both HIPAA and HITECH call for organizations to conduct ongoing risk analysis. Specific reference to risk assessment is made in certain rules, such as meaningful use and breach notification. Stage 1 of meaningful use has 15 core requirements, two of which compel organizations to conduct or review a risk assessment in accordance with 45 CFR 164.308 of the HIPAA security rule before either starting or completing their attestation period. HITECH's breach notification rule references using risk assessment to determine if significant harm could befall those whose information may have been breached. The purpose of these assessments is to identify potential gaps or weaknesses in controls that could lead to a breach or risk of compromise and to inform and assist in prioritizing remediation efforts.
If conducted to meet the U.S. Department of Commerce's National Institute of Standards and Technology's requirements as recommended by the OCR in its guidance document of May 2010, a risk assessment could cost from less than $10,000 to more than $100,000, depending on the institution's size and the complexity of its enterprise. When compared with potential costs associated with fines, civil litigation, resolution agreements, or individual credit protection for several hundred or even thousands of individuals, the investment is well worth undertaking.
Yet some healthcare entities still do not perform risk assessments regularly, and some have yet to perform their first assessment, according to the 2010 Health Information and Management Systems Society (HIMSS) analytics survey (www.himssanalytics.org). The average cost of a data breach in the healthcare industry increased 7 percent in 2010 to $301 per compromised record, according to the sixth annual U.S. Cost of a Data Breach study by the Ponemon Institute, a research center dedicated to privacy, data protection, and information security policy.
Audits of User Activity
Without argument, one of the biggest areas of risk in health care is insider abuse of privilege, or access. Healthcare organizations deal with multiple cases of inappropriate access every year. When that access leads to fraud, identity theft, or public embarrassment, cost is involved.
Despite regulatory requirements to create appropriate access control mechanisms and monitor system activity and use, many healthcare organizations have not invested in the tools to comply effectively and efficiently. A requirement that is already difficult to meet will only be more difficult when meaningful use and accounting for disclosure rules take effect. HIPAA requires organizations to conduct ongoing information system activity reviews and audits of user activity. Meaningful use requires an audit of user activity within the EHR and specifies what must be audited. Accounting for disclosures requires organizations to identify upon request who has accessed a patient's record. All of these requirements assume that activity and access are being recorded and can be audited and that someone or something is paying attention to it. In reality, at least one of these actions is not possible or not happening in many organizations today, according to various surveys.
In many instances, the collection, analysis, and reporting of system or user activity is still a reactive, manual, time-consuming, and, worst of all, inaccurate process. One example is auditing user activity in core clinical systems. Because of the sheer volume of user activity, audits usually are performed only on high-profile individuals and employees and upon request. When a request is received, an employee has to stop working, go into the application, manually locate the log information corresponding to the audit target, and then review the data to determine what occurred. This process can take a few hours, a few days, or a few weeks. The time spent equates to lost productivity. If the search is unsuccessful or incomplete, the organization's potential risk increases. Failure to provide an accurate and timely accounting could result in a fine or a resolution agreement with defined requirements for remediation and government oversight.
The costs of performing audits manually are exponentially higher than the cost of deploying automated log management and privacy auditing tools, particularly given the frequency and time-consuming nature of these types of requests. On average, an automated logging or privacy auditing tool can save 80 or 90 percent of the time required to perform an audit manually, with greater accuracy, and can include more data sources. Although automation of this function is necessary to comply with HITECH's new requirements, manual processes will still be required for information systems that lack the necessary functionality, are not networkable, or are not interoperable with logging and monitoring technologies.
Encryption is receiving increasing attention as a result of the breach notification rule, which provided specific guidance for its use. The rule did not change the nature of the HIPAA security rule's requirement, but it did provide encryption as means to achieve safe harbor, or to avoid having to notify. Encryption was recommended in the HIPAA security rule, but was made an addressable standard. As a result, many organizations chose not to encrypt, citing issues with productivity and system impacts. Although an encryption capability is included in the certification criteria for EHRs, safe harbor and avoiding breach notification have been the primary motivator of its adoption.
Many healthcare organizations are beginning to encrypt their data on mobile devices, and most encrypt data transfers, such as email or file transfer protocol (FTP). However, few encrypt data at rest, and many treat encryption and its deployment as a point solution instead of as part of a well-thought-out data security strategy. The latter has led to incomplete coverage, too much encryption in some cases, and inefficient use of controls in others, resulting in additional cost and risk for the organization. Encryption has been proposed again in Meaningful Use Stage 2 requirements with much more specificity around its language, such as encryption of personal health information in databases, within data centers, and on mobile devices (e.g., laptops and personal digital assistants [PDAs]).
Encryption is not a complete solution. Rather, it relies on other security controls, processes, and human interaction to be successful. Encryption within the enterprise or on a system relies on the integrity of that ecosystem to ensure that it is not compromised. A network successfully hacked, with credentials compromised, can lead to encrypted data being at risk. A system logged into and left unattended can leave data at risk because it is usually decrypted at log-in.
To illustrate, consider a home health nurse who, between appointments, stops at a coffee shop, sets up her laptop, connects to the application, logs in, enters data for several minutes, and then goes to the rest room, leaving her laptop unattended. She returns to find her laptop missing. Although the organization made the right decision to encrypt, the individual, through poor practices, undermined the organization's effectiveness and put the data at risk. In this case, the pertinent questions to ask are:
- Was the laptop password protected?
- Were appropriate auto log-outs set for both application and system?
- Was a tracking solution used on the laptop to aid in its location and recovery?
Protection of System Integrity
The type of incident that probably gets the most attention the most quickly is a network, system, or application outage. Every organization gets viruses, but the better organizations are able to react, contain, and eradicate the malicious software and limit its impact to the organization. The enterprise needs to be maintained properly, to be kept up to date on service packs and patches, to run antivirus software in an optimal configuration, and to have the tools to assist in early detection and isolation of harmful packets before they have time to affect large segments of the enterprise.
The HIPAA security rule addresses system integrity, evaluation, risk management, and antivirus employment. Many organizations today perform some level of testing and use antivirus tools, and some have implemented network monitoring systems. The key is timing. These efforts are the only variable that can effectively be manipulated to reduce risk. Despite the steep increase in malware attacks over the past two years, efforts in patching remain inconsistent and are often delayed. Antivirus solutions are not optimally configured, scanning and updating daily or sometimes weekly. And few healthcare organizations actively employ and monitor intrusion protection systems or use security information event managers to aid them in quickly identifying and avoiding dangerous malware and other security events. The result is costly clean-up activities, expensive forensic analysis, loss of productivity for the IT organization, and possible disruption of operations.
Breach Notification and Enforcement
The HITECH Act introduced real accountability around breaches of protected health information with the breach notification rule. Released in 2009, the rule provides for notification and reporting requirements in the event of breaches of protected health information, a provision for assessing likelihood of harm, and safe harbor if appropriate encryption is applied.
Breaches involving more than 500 individual records require notification be given within 60 days of the incident to the Department of Health and Human Services (HHS), local media, and those whose records were involved if it is determined that the breach could cause significant harm to a person's reputation or financial circumstances. For incidents involving fewer than 500 individual records, organizations should follow the same process, but the requirement to report is not as immediate and is limited to HHS. Breaches can be reported individually or annually within 60 days of the end of the calendar year.
In addition to the federal HITECH requirements, 46 states have their own breach notification statutes that may require notification to individuals involved regardless of the number of records. Organizations should have incident response procedures that accommodate both state and federal requirements. Most notable of these is the new California SB 24, which requires notification to the state attorney general's office, and the new Texas HB 300, which extends notifications to all individuals across the country for companies doing business in Texas.
Enforcement has been stepped up this year. In the spring of 2011, the OCR followed up some tough rhetoric regarding accountability with significant fines. The first was assigned to a payer for failure to provide several patients with their records upon request. In addition to the base fine, the payer was hit with a fine for failure to cooperate with the government's investigation. The second fine was imposed on a hospital for breach of patients' records after a worker who was taking files home left them on a train. In addition to the fine, the hospital was required to accept a resolution agreement detailing necessary remediation. OCR uses resolution agreements to promote compliance and resolve issues identified during audits following breaches. These agreements typically include a compliance action plan, a time period to implement that plan, and acceptance of government oversight until the plan is completed.
In May 2011, OCR initiated training for state attorneys general on HIPAA, HITECH, and their responsibilities for enforcement. Enforcement was expected to increase this year, making readiness all the more important. Readiness will require investment in the right technologies and controls, but those costs will certainly be less than any associated with remediation of an unwanted breach. In July, the OCR launched its random compliance audit program, letting contracts to Booz Allen Hamilton and KPMG to identify and conduct 150 audits across the country. These audits will not be complaint- or incident-based.
What Healthcare Organizations Should Do
The ability to manage incidents effectively lies in prevention, detection, and reaction. Organizations should take the following steps to help mitigate risk.
Conduct a risk assessment. Organizations should perform risk analysis regularly. Just as the IT environment is dynamic, the threat of risk also is dynamic and requires more than an occasional review. Managing risk is at the core of any good security program and critical to business. It is the most valuable measure organizations can take to inform their remediation and risk mitigation efforts. Risk analysis should be performed at least annually and, if possible, by an independent third party that holds certifications in security and has experience in health care.
Re-evaluate the enterprise. The new HIPAA security paradigm requires much greater awareness of where electronic protected health information is, where it is going, who is touching it, and what they are doing, and much more effective controls to be able to meet the requirements of access, limited data set/minimum necessary, accounting for disclosure, and breach notification. (Minimum necessary is the principle that says only permit access that is necessary to do the assigned task.) Instead of looking for a quick solution, organizations should perform a bottoms-up review of their security architecture, starting with how effectively they are managing data.
Put controls and processes in place. Organizations should eliminate or mitigate risk by employing the right set of integrated security controls and processes. Proper technology is needed to mitigate risk effectively or develop the level of readiness that will allow the organization to prevent, detect, and react to eliminate risk where possible and triage the rest effectively. Organizations need to put the basic technology in place to establish a strong foundation for the rest of the program to build upon.
Focus on users. Controls alone cannot produce a secure environment. Personal responsibility, integrity, and self-discipline are critical qualities needed by individuals who work in secure environments. A large percentage of the breaches seen in 2010 were the result of a lapse in judgment or character. Healthcare leaders have expressed in several surveys that insider mistakes and abuse is their No. 1 concern from a security perspective. Healthcare organizations should operate in a culture in which users can access information only on a need-to-know basis. This culture begins with education and ends with real accountability.
Although HITECH did not demonstrably change the HIPAA security rule, it has clarified the rule's specifications and has increased the risks associated with noncompliance. Healthcare organizations should ensure that they are in compliance with the security and breach of notification rules. To achieve this compliance, they need to have technology and controls in place.
Mac McMillan is chairman and CEO, CynergisTek, Inc., Austin, Texas (firstname.lastname@example.org).
Publication Date: Tuesday, November 01, 2011