September 12, 2011
By Robert J. Murphy
For The Record
Vol. 23 No. 16 P. 20
The emergence of smartphones, tablets, and related devices has added another layer of complexity to maintaining HIPAA standards throughout hospitals.
Even as the HITECH Act added some much-needed bite to enforcing personal health information security, the number of data breaches and their related costs grew apace. They occurred seemingly anywhere, from private medical practices and teaching hospitals to sprawling managed care organizations. No one, it seems, is too big for their breaches.
Complicating matters is the emergence of mobile devices as a popular technology among healthcare professionals. Now that tablets and smartphones have joined the playing field with laptops and PDAs, security personnel and IT experts face novel challenges as they grapple with familiar vulnerabilities and more stringent enforcement.
Data breaches cost hospitals some $6 billion annually, according to a November 2010 report from the Ponemon Institute. The number of medical-related data breaches nearly doubled from 116 in 2007-2008 to 229 in 2009-2010, according to the Privacy Rights Clearinghouse.
While the number of indiscretions rises, the nascent regulatory teeth are apparently taking a sizable bite from the fraudulent. For the fiscal year ending last September, the U.S. Department of Justice obtained $2.5 billion in healthcare fraud recoveries, the largest ever, according to the agency.
The pattern has marched on into 2011. According to the American National Standards Institute (ANSI), responsible parties have reported 249 breaches affecting more than 8.2 million people. And healthcare data security breaches tend to be far more costly than run-of-the-mill identity theft. A 2010 survey conducted by Javelin Research revealed the cost difference to be approximately $20,000 vs. $4,841 per incident.
In this instance, Hamlet had it exactly backward: These actions clearly are not “more honored in the breach than the observance.”
The costs go beyond monetary to reputation—a brainchild of one of HITECH’s progenitors. An organization that experiences a health data breach involving 500 or more records must report it to Health and Human Services’ (HHS) Office for Civil Rights. The mishap and its details are posted on a website along with others of its kind in a place sometimes referred to as the “Wall of Shame.” Think of it as healthcare’s version of the colonial-era stockades.
“We keep tabs on that website and do a high-level analysis of the types of breaches that are out there in the healthcare industry,” says Christopher Wilkinson, a senior manager in the security and privacy practice at Crowe Horwath, an accounting and information security consulting firm with offices in multiple states.
No Pain, No Gain
“Unless an institution has suffered a major data breach and experienced the attendant costs—fiscal, operational, and reputational—it is difficult to get senior management to give a reasonable priority to information security among all of the competing needs,” says Rick Kam, president and cofounder of ID Experts, a data breach consulting firm in Portland, Ore.
Complacency is inadvisable in a context of ever-multiplying risks to data security. Remember when people thought of e-mail as perhaps their only mobile application? Back then, physicians were content to have a laptop and a BlackBerry, says Dan Dearing, group director for mobile security strategy at BoxTone, a mobile data management company in Columbia, Md. That was all they needed to feel they were ahead of the technology curve, he adds.
But in recent years, IT has become far more integral to healthcare as expanding innovations open the door to a wider array of data applications. With that has come a proliferation of confidential healthcare information that can be stored on a laptop or any of several other mobile devices. “This now needs to be secure, and it needs to be done in a way that complies with the HIPAA Security Rule,” Dearing says.
Losing a device is the most obvious data security risk. “I was astounded by how many laptops are left each year at airports,” says Gary R. Gordon, PhD, a partner at Bluewater International, a management consulting firm in Denver. “I said, ‘How can you do that?’”
What recourse is there in such instances? Healthcare organizations may turn to the HHS website, where handy charts list information risks and strategies for dealing with them. Among the measures listed for losing a device are the following:
• Identify the types of hardware and electronic media that must be tracked.
• Record what occurred at the scene of the loss.
• Initiate a lockdown for the wayward device.
• Password protect the device and the files it contains.
• Require an encryption capacity on mobile devices that store personal health information.
Another common avenue that leads to a data breach is lost or stolen log-in or password information. This potentially sets the stage for an unauthorized person to access a device and the information it contains.
Again, HHS offers preventive measures. For instance, go beyond the standard username and password and include a security question such as “What’s your favorite Broadway musical?” Then devise a way to create unique usernames and authenticate them for occasions when an employee is out of the office.
Wayward passwords are so pervasive that their protection ranks as Wilkinson ’s favorite security control. Running a close second, and favored by numerous consultants, is the encryption of the data as well as a device’s applications.
“The other [favorite security control] would be encryption of the data on the device itself or what we would call ‘sandbox applications ’ that are out there,” Wilkinson says. “They allow these devices to operate within a secure environment. If you think about the device itself, then the applications are in the sandbox that has a model of security around it.”
“The biggest thing that you have to avoid is appearing to be negligent,” says Chris Davis, an information consultant with Verizon in New York. “So if something does happen, you can at least say I have used industry-standard guidelines to secure this data. And make the best out of the situation. That’s the biggest recommendation I can make.”
Unfortunately, physicians may contribute to personal health data breaches, especially if they are not comfortable with certain forms of technology.
“Physicians are not business people,” Gordon says. “While they may understand a lot about a lot of things, as pertains to managing their own devices—whether they be PDAs, laptops, or iPads—they ’re not very good at that.”
Gordon and Kam are part of a task force organized by ANSI and others to draw on a number of subject matter experts to write a white paper on the healthcare industry’s personal health information risks and vulnerabilities and recommend ways to address them. The project concluded as this article went to press, and the paper will be disseminated among industry stakeholders as well as congressional committees and other policy makers.
A Tale of Training
Peter Gabriel surely wasn’t the first to voice the maxim, “We’re only as strong as the weakest link in the chain.” This can apply to a healthcare organization’s efforts to secure the personal health data stored on its employees’ mobile devices. A data breach is no farther away than the next careless move, and that can happen anywhere at any time.
This is why personal health data security consultants recommend conducting training for all staff members who carry mobile devices containing confidential information. A good place to start is to recommend a review of the HHS website’s sections on HIPAA and the HITECH Act. Meanwhile, an in-house or visiting security/IT expert can convey a wealth of useful guidance in a concise presentation.
“You have to make the employee part of the solution,” says Dearing. “Training obviously is a good way to do that. Make them aware of the kinds of information that could be used, let’s say, on their smartphone. It has to be instilled in them that they are the custodians of this data. And if they lose the device, they have to know what to do. They also have to know that a certain policy is set up on the device to protect it if it’s lost.”
Wilkinson says training should be ongoing. “Typically, training is performed prior to the employee/user activating the device on corporate infrastructure. This initial training often is delivered in conjunction with a signed employee agreement that outlines the user’s responsibility for the security of the device and stored data,” he says. “Following the initial training, organizations will often include mobile devices as part of their annual security awareness training program. These refresher courses are usually delivered via online platforms that can track attendance electronically.”
Perhaps 80% of data breaches are attributable to employee error, according to Nancy Green, Verizon’s managing principal for healthcare. In light of this fact, it’s vital that the word be spread about best practices, she notes.
“We want to make sure people are educated on what’s right and what’s wrong—what you can and can’t do, what messages you can and can’t send, what’s encrypted and what’s not,” Green says.
Staff should also know the potential consequences if something goes amiss, she adds.
Risks and Rewards
Naturally, healthcare providers and administrators would not run the risk of data breaches without the considerable rewards that redound to users of laptops, tablets, smartphones, and PDAs. Theoretically, the quality and utility of medical records have been leaping decades—if not centuries—forward as doctors move from paper to electronic devices. Only yesterday it seems a doctor’s reception area was home to a forestlike array of hulking shelving units groaning under the burden of a thousand or more file folders.
An optimist may believe that greater experience in an era of proliferating mobile devices will foster greater knowledge of these machines and thereby occasion fewer personal health data breaches. In any case, mobile devices are here to stay, so healthcare providers should learn to live with them.
Interestingly, even as the number of data breaches has grown in the last couple years, few of those mishaps have had to do with tablets and smartphones, according to Gordon, who says laptops have been largely to blame. Yet the same security controls that apply to laptops also apply to the newer mobile devices. Those intent on disseminating prudent security measures and those willing to comply with them may be the greatest optimists of all.
— Robert J. Murphy is a freelance writer based in Philadelphia.