Into the Abyss
By Julie Knudson
For The Record
Vol. 26 No. 12 P. 24
Health care organizations victimized by a data breach face a series of residual effects, including financial and reputational harm.
Almost 30 million. According to a study by security firm Redspin, that's the number of patient records that have been exposed in data breaches and reported to Health and Human Services (HHS) since the HITECH Act's interim final breach notification rule became effective in August 2009. Using 2010 US census figures, that calculates to just slightly more than the number of people living in the 16 most populous American cities combined.
Exposures of protected health information (PHI), once a rare occurrence, are now almost an everyday occurrence. In light of this trend—and considering the tremendous value of the information being stolen—it's important that hospitals know the ins and outs of life in a postbreach organization.
The January 2013 introduction of the HIPAA Omnibus Rule brought significant changes to earlier breach notification regulations. "Prior to that, the Interim Final Rule said that you didn't have to notify folks unless it was clear that privacy information had been compromised," says James C. Pyles, principal and cofounder of the Washington, D.C.-based law firm Powers, Pyles, Sutter and Verville. Even if an exposure had occurred, notification wasn't required if it appeared that no harm had been done. Some in the industry, including Pyles, felt the previous harm standard was out of tune because "it essentially put the fox in charge of the henhouse."
It wasn't difficult to argue that it was in a breached hospital's best interests to assume there was no harm, thus relieving it of notification responsibilities. But that's all changed. Under the new rule, unless an organization is able to either show the breach falls within the three narrow exceptions (which also existed in the Interim Final Rule) or prove there is no harm, they're obligated to follow the notification regulations. "What it means today is that there is a presumption that almost any unauthorized disclosure of information is going to be a breach," Pyles says. It's now up to the breached health care organization to show there is a low probability that PHI was compromised.
Determining that a reportable breach has occurred is accomplished through a risk assessment of a handful of factors. Within nearly every health care organization's information systems, PHI coexists with data that are not considered protected. As a result, the factors that must be taken into account are the nature and extent of the information involved and the potential risk of exposure of personal information. "That includes the types of information compromised, any personal identifiers taken, and likelihood of reidentification of people," says William M. Senich, CEO of Catapult Consultants. "One must also consider whether or not the information has been protected by methods like encryption that mitigate the risk of the specific personal data loss." The existence of encryption or other protective measures may have a bearing on determining whether the breach is reportable and/or requires notification, he adds.
Gathering all this information typically involves bringing in a third-party forensic investigator experienced in breaches. "We strongly recommend retaining the forensic investigator through legal counsel to seek to protect legal privilege," says Lisa Sotto, chair of global privacy and cybersecurity at legal firm Hunton & Williams in New York. After it's been determined what happened and how, she says it's time to assess the entity's legal obligations.
Because time is of the essence, Sotto suggests hospitals start preparing for the response and notification phases even as the investigation is being carried out. Patient notification letters as well as other support items may be needed. "You may need website materials and media materials," she says. "If you're offering credit monitoring, you need to get that service up and running." The hospital also may want to partner with a call center to field patient inquiries and a mail house or e-mail service provider to handle the distribution of documentation to those affected by the breach.
For hospitals that go through the review process and determine there has unequivocally been a breach, Bob Chaput, MA, CISSP, HCISPP, CRISC, CIPP/US, CEO of Clearwater Compliance, says there are three specific requirements that must be followed regarding notification. First, every affected individual must be notified and provided with information on the breach. "You have to communicate to them what happened, how it happened, what protected health information was involved, what actions you're taking to mitigate any further loss or harm, which actions they should take themselves to mitigate loss or harm, and then what you're going to do to permanently fix it in the future," he explains.
Closely related to the first, the second requirement says that if the breach involves 500 or more people then the media must be alerted. "You're required to notify major or prominent media outlets—print, television, radio," Chaput says. The purpose of this broadcast approach (which often can be accomplished by issuing a press release) isn't to cause further embarrassment to the organization. Rather, it's designed to protect affected patients by getting the word out as quickly and as widely as possible.
The final step is providing notification and details to HHS. According to the breach notification rule, these steps must be completed "without unreasonable delay" and no later than 60 days after the incident is discovered. Chaput believes hospitals that experience a breach are better served by completing the notification steps sooner rather than later. "Bad news doesn't age well," he says.
When it comes to data exposures, prevention is the best approach. In fact, preventive strategies also may enable a faster response if a breach does occur. Daniel W. Berger, president and CEO of Redspin, says the first priority is to conduct a HIPAA security risk analysis, with an emphasis on the security portion.
"Organizations tend to think of it as a compliance regulation, a policy-centered, regulation-centered assessment," he says. "What they end up with is a kind of gap analysis with the HIPAA regulations as opposed to what their real intent is, which is to identify potential threats and vulnerabilities in their systems that could lead to a breach of protected health information."
In tandem with the risk analysis, systems also should be tested for potential vulnerabilities so that any weaknesses can be identified and addressed before they lead to an exposure, he adds.
For breached health care organizations, the resulting financial pain comes in many forms. In addition to the expenses tied to hardware and software upgrades that may be required to close security gaps and the costs associated with providing affected individuals with supportive tools such as identity monitoring, hospitals also may face one or more fines. "There are criminal and civil monetary penalties that federal and state governments can levy, and now with the Omnibus Rule we've got federal penalties that go out to $1.5 million per year on these breaches," says Rob Rhodes, CPHIMS, CHCIO, CISSP, HCISPP, senior director of patient privacy solutions at Iatric Systems.
The costs can add up quickly, especially when lawsuits from injured parties start piling on. "It seems these days that everyone comes out of the woodwork to file either individual or class action suits if you do have a breach," Rhodes says. For hospitals hoping to wrap up their breach investigation before dealing with any litigation concerns, there's even more bad news. In some instances, class action suits have been filed within one week of a security event, long before the details of the exposure were gathered and confirmed.
And financial hits are just the beginning when it comes to a breach's overall effects. Other negatives are less tangible (and less measurable), but may be longer lasting. For example, the effects on morale within the hospital can be chilling. "It just sucks all the energy out of an organization, at least for a period of time," Pyles explains. "Management all the way up to the board of directors simply cannot ignore what's going on."
When breaches of any significant size occur, press coverage can keep the issue front and center for patients, employees, and business partners for several months or as long as a couple of years. "All the energies that the health care organization would otherwise be putting into expansion and creation of new products and services to patients get diverted to handling the breach," Pyles says. For example, the provider must notify patients, gather information for law enforcement, revise protocols, and issue new training standards. In other words, instead of focusing on forward-looking strategic initiatives, the organization can't help but funnel its resources into reacting to the breach.
Operational efficiencies also suffer in the long term. Berger says one of the risks of not having a well-crafted plan to respond to a breach is "the distraction and diversion of resources from other critical functions." Anything from the implementation of an EHR system to carrying out a regularly scheduled HIPAA risk analysis may suffer while leadership deals with a breach. "It's an often-overlooked expense, but it can certainly derail major projects," he says, adding that the assets needed to respond to a data exposure are likely the same ones that would otherwise be overseeing technology improvements and other top-tier initiatives.
If that isn't enough, Senich says the ramifications are becoming more apparent as compliance mandates gain strength and additional laws hit the books. "These enhanced regulations and the HIPAA compliance regulation will be really enforced in 2015, and that will affect every sector of the health care industry, especially the third-party vendors and providers," says Senich, who anticipates additional scrutiny by multiple oversight agencies and an increase in media coverage of the transgressions.
Regaining Patient Trust
Reputational harm is a downstream effect that hospitals shouldn't take lightly. No matter how well the breach response is conducted, the organization's reputation almost assuredly will be in the public's crosshairs. That's partly because the response requirements are specifically designed to spread word of the incident, which Sotto describes as being "in the vein of shouting from the rooftops the fact that you've had a compromise of your system. That leads to the inevitable reputational fallout, and much of the art of handling a data breach is around managing reputational risk."
Patient trust—difficult enough to earn in the first place—is even tougher to rebuild. Balancing disclosure with an underlying message that the hospital is doing all it can to protect patient privacy can be a challenge. "Organizations need to work very hard to try to both maintain the trust of patients immediately upon announcing a data compromise and also regain trust to the extent trust is compromised," Sotto says.
"This is absolutely about trust," Chaput says of the data breach landscape, particularly when it comes to health care systems. "It's a core element in every health care transaction." Discussions between patients and care providers, which are considered among the most personal and intimate in nature, involve exactly the kind of information consumers don't want to see exposed to third parties. As a patient, Chaput says, "I have a full expectation there is going to be confidentiality, and my information is not going to be disclosed without my permission." Even if a disclosure is inadvertent, patients are still likely to be dismayed, even angry, he notes.
Although technology is woven into seemingly nearly every aspect of modern life, the health care arena remains based on personal interactions. Once the trust between patients and their caregivers is broken, Senich believes remediation offers only go so far to help restore it. "You've got to act very swiftly and communicate very effectively in order to win trust back," he says.
The challenges begin during the first vital step of breach management. It can be difficult because constituents within the health care sector, whether they deliver care, process claims, or fill another role, "sometimes lack the capability for a quick response or they don't have a response planned in advance," Senich says, adding that's why every organization must create and implement a comprehensive strategy for dealing with such events.
— Julie Knudson is a freelance writer based in Seattle.
THE VALUE OF MONITORING TOOLS
One popular tool health care organizations offer to data breach victims, whether the exposure involves health or financial information, is credit monitoring. Rob Rhodes, CPHIMS, CHCIO, CISSP, HCISPP, senior director of patient privacy solutions at Iatric Systems, says providing identity theft protection is wise but cautions the financial outlay can escalate quickly. "It doesn't cost that much per person. Certainly if you have many, many patients it's a big price tag, but ultimately you'd end up doing the right thing," he says.
Credit monitoring can help demonstrate the hospital isn't being cavalier about the situation. "It's actually showing people that the organization does still care, and they want to do whatever they can to help protect those patients," Rhodes says, noting that credit monitoring can be one aspect of a long-term, multifaceted approach to rebuilding trust.
As the cyber crime landscape evolves, James C. Pyles, principal and cofounder of the Washington, D.C.-based law firm Powers, Pyles, Sutter and Verville, says a better remedy may be medical identity theft monitoring, a tool that's typically more expensive, but "one that's likely to restore the public's trust sooner."
Health insurance accounts may be included in this type of monitoring, which offers a higher and more targeted level of protection to breach victims. "When a claim is filed on your account, you get pinged to have you verify if that's really a claim you wanted to make," Pyles explains. Not only does this preserve the identity theft victim's benefits, but it also helps eliminate the possibility of medical records being corrupted.