While technology changes over the past 22 years have allowed increasingly skillful data breaches, we can expect even more dramatic developments in the next five years. Attention to potential breaches now—in all their various forms—will be essential to managing unforeseen future threats.
HIPAA Compliance Needs Improvement
One recommendation is to dedicate six months to a HIPAA review, assessing each OCR protocol element at a time.
Last year, a data breach story appeared in the headlines practically every day, and April 2018 was the worst month in recent memory: there were 41 reported breaches that exposed nearly 900,000 individuals’ records. With HIPAA now 22 years old, one might wonder why compliance is not better.
Part of the answer lies in the fact that technology has evolved since 1996. “When HIPAA was passed, physical security was the main focus,” according to Isaac Kohen. “But technology has evolved since then and the threats are different now.” He cites the blossoming of the internet and cloud-based file sharing as major reasons for more and different kinds of risks than those faced in 1996.
These developments allow for negligent release of information and unauthorized access by outside actors such as through “phishing” (the practice of sending e-mails purporting to be from reputable sources to discover personal information) and ransomware attacks (assaults threatening to publish victims’ data or block access to it unless ransoms are paid).
The “WannaCry” ransomware attack is a prime example of the latter phenomenon. Although not healthcare-specific, WannaCry involved a “cryptoworm”—a type of malicious software— that affected more than 200,000 computers running the Microsoft Windows operating system. It caused billions of dollars of damage across 150 countries in May 2017 before being shut down.
“Healthcare is a prime target for security attacks because personally identifiable information—whether on patients or employees—is extremely valuable data,” Kohen says. “And healthcare organizations are often vulnerable because they don’t invest as much in cybersecurity as do other industries.” The growing use of business associates to augment the workforce adds to the vulnerability, as does the use of telemedicine equipment and even unencrypted devices.
Healthcare attorney Iliana Peters, formerly of the OCR and now with the Polsinelli law firm in Washington, D.C., cites the case of 21st Century Oncology, Inc. (21CO) as an example of vulnerability because of lack of good data security practices. According to an OCR news release, the Florida-based system of oncology care providers failed to conduct an accurate and thorough risk assessment, failed to implement security measures that would reduce risks and vulnerabilities, and failed to implement procedures for regularly reviewing records of information system activity, such as audit logs, access reports, and security incident tracking reports.
On two separate occasions in 2015, patient information had been illegally obtained by an unauthorized third party through the remote desktop protocol from an exchange server within 21CO’s network. “The case is especially noteworthy,” Peters says, “because the problem was discovered during an FBI investigation, which shows that not protecting against criminal activity can lead to civil liability.” Following an investigation 21CO entered into a $2.3 million monetary settlement, signed a corrective action plan, and filed for Chapter 11 bankruptcy.
Frank Ruelas, Facility Compliance Professional at St. Joseph’s Hospital and Medical Center in Phoenix, Arizona, points out that in addition to ransomware attacks and unauthorized access from outside sources, many of the risks are internal to organizations. “There seems to be a lot of confusion about HIPAA security,” Ruelas says, "and a good deal of it is self-inflicted. Based on what I see, some people are getting complacent. They aren’t reading the regulations carefully and doing a proper risk analysis.”
Ruelas recommends systematically working through OCR’s Phase 2 HIPAA Audit Protocol. The Audit Protocol is a comprehensive tool that addresses the 180 elements of privacy, security, and breach notification covered by the Omnibus Final Rule (78 Fed. Reg. 5566-5702, Jan. 25, 2013). “It’s a daunting task to do this,” he says, “but it takes hard work to do HIPAA right and we must be diligent.”
See related sidebar: OCR Offers Guidance on Patient Behavioral Health Disclosure
Ruelas recommends dedicating six months or so to the job, taking about thirty elements at a time. He refers to a set of tools offered free of charge by the HIPAA Collaborative of Wisconsin, otherwise known as “HIPAA COW.” The HIPAA COW toolkit summarizes nine risk assessment steps outlined by the National Institute of Standards and Technology; contains several helpful worksheets including a list of sample security policies, security questions, lists of threat sources, and plans for risk mitigation and implementation; a sample risk analysis report; and numerous other helpful materials.
Using the toolkit, Ruelas has a team assess HIPAA readiness for each of the OCR protocol’s elements using a red-yellow-green system (for high-medium-low risk factors). “This is a good process for really understanding the practical implications of the audit process,” he says.
Kohen reiterates that “insiders” are the cause of many HIPAA breaches. Whether the breaches were malicious or negligent—such as through servers left publicly accessible, inappropriate social media posts, or e-mails containing health information sent to the wrong recipient— more than four of every 10 incidents were due to disclosure by members of the workforce.
Commonwealth Health suffered the largest data breach in 2017, and that was the result of an insider’s actions. An employee placed the sensitive information of nearly 700,000 individuals on an unencrypted device for use on a personal project. Regardless of whether the now former employee’s actions may have been intentional and criminal, the size of the breach is enormous.
Kohen recommends obtaining software that detects, records, and prevents, malicious user behavior. “Giving users warnings when they are about to endanger the company will go a long way toward preventing breaches and achieving HIPAA compliance,” he says. “It may also help improve productivity and efficiency.” He adds that while the changes in technology over the last 22 years have been significant, we can expect even more dramatic developments in the next five years, so attention to potential breaches now—in all their various forms—will be essential to being able to deal with the unforeseen threats of the future.
J. Stuart Showalter, JD, MFS, is a contributing editor for HFMA. and is an HFMA member.
Interviewed for this article:
Frank Ruelas is facility compliance professional, St. Joseph’s Hospital and Medical Center, Phoenix, AZ.
Isaac Kohen is founder and CEO, Teramind.
Iliana I. Peters is a shareholder with the Polsinelli law firm, Washington, D.C.
Share Your Thoughts
|What do you think? Please share your thoughts in the comments section below.|