When deploying technology that keeps personal health information and other healthcare data safe, health systems stay proactive.
In the past five years, HHS’ Office of Civil Rights (OCR) has increased enforcement of Health Insurance Portability and Accountability Act (HIPAA) violations, according to the HIPAA Journal. In 2015, there were only six HIPAA penalties, compared with 11 in 2018. Not only have enforcements increased, but fines and settlement amounts are also on the rise. In 2018, more than $28 million in penalties was paid to OCR. The mean penalty amount for 2018 was $2.6 million. Anthem settled for $16 million for failure to respond to breaches that had occurred since 2015 and for lacking technical controls to prevent unauthorized electronic personal health information (PHI) access.
Because OCR enforcement continues to grow, costing healthcare organizations in both dollars and damage to their brands, it is important that health systems stay proactive when deploying technology that keeps PHI and other healthcare data safe. As the healthcare industry becomes more connected, through providers and payers, PHI and other data are transferred between more vendors, says Tim Eades, CEO of VArmour, an applications security company in Los Altos, California. “As health insurance carriers begin or mature within their ‘digital’ journey - think digital health ID cards held in digital wallets or mobile healthcare policy apps - the potential for PHI and personally identifiable information exposure increases,” Eades says.
But with interoperability, there’s a greater risk involved, with data becoming increasingly accessible, says Rich Temple, vice president and CIO of Deborah Heart and Lung Center in Brown Mills, New Jersey. “Ironically, the push for interoperability, and the goal to bring to a provider a patient’s entire medical history across many different arenas of care, poses some serious challenges in the HIPAA realm,” Temple says. “As the flow of PHI increases in the three V’s - volume, velocity and variety - more opportunities open up for that sacred information to be compromised, either by hackers or even by, ostensibly, well-meaning providers who may be using the patient’s data for use cases that go beyond what HIPAA allows.”
Ultimately, healthcare executives must stay on the hunt for technologies that can keep data protected, because threats from hackers continue to grow and be more sophisticated every day, says David Williams, general manager of the healthcare provider division of Conduent, a healthcare technology company in Florham Park, New Jersey. “Whether you’re talking about a national level or international level, the ability to hack healthcare data is fairly alarming.”
The security of cloud-based applications
With the explosive growth of cloud-based technology, especially with many healthcare organizations using third- and fourth-party vendors, the fact that EHR systems are being moved to or connected with cloud-based platforms is a concern. Cloud-based applications can help with data security because the major providers have capabilities that can be used to enable strong security overall, says Eades. “However,” he adds, “if any system is brought from a non-cloud space to full cloud - lift and shift - or a fully on-premise platform is suddenly connected to the cloud, data security - and overall security - can be threatened if the naturally exponential relationships cloud introduced aren’t managed correctly.”
Although cloud-service vendors can stay abreast of security issues, often faster than their clients, working with a third-party also has its risks, says Temple. “The challenge is that the healthcare organization is now dependent on yet another party, or business associate, to maintain HIPAA standards, and any breach on the part of the business associate will come back to bite the provider, even if the provider themselves didn’t do anything wrong,” Temple says.
Being able to visualize or map data flow is critical to applying appropriate protection technologies, says Eades. “Healthcare platforms must have the means to map network and systems topologies against data flow. As in the EHR to cloud/cloud-connected example, it’s critical that hybrid cloud and multi-cloud environments are considered as well.”
Since 2009, more than 189 million healthcare records have been stolen or exposed in over 2,500 breaches, according to the HIPAA Journal. The number of breaches in the past decade amounts to nearly 60% of the U.S. population possibly being affected.
As more connected devices become available for patients, Temple says, providers have to stay alert when they interact with a health system’s data network. Medical devices themselves, such as balloon pumps and patient monitors, and the growing array of healthcare devices classified as the “internet of things,” are alluring targets for criminals, notes Temple. Having technologies that are monitoring data and how it’s being used can be one of the best ways to catch a possible HIPAA violation early and take steps to fix it, Williams says. “Health systems should have technology to identify a threat, monitoring on a daily basis, if not hourly,” Williams adds.
Building in redundancy is also important if a primary system gets compromised through a malware attack. “We go well beyond the standard anti-virus, anti-malware that most organizations have deployed. We have robust backup regimens so in the event of an attack, we are as well positioned as we possibly can be to recover a legitimate dataset,” Temple says. “We are continuing to enhance our security toolset to monitor packets crossing our firewall and our endpoint assets for irregular activity. We even have some redundancy in our monitoring to make sure we have that extra layer of protection.”
Keeping staff on guard
Although increased technological advances can keep healthcare organization in compliance with HIPAA, ultimately educating staff on data safety is a first barrier, says Temple. A 2019 analysis by Bloomberg Law found that the fifth most common cause of data breaches in healthcare is from staff having inappropriate access to team members’ or patients’ information. Though the intent of the staff’s inappropriate access wasn’t always clear, the analysis found that some employees had looked up patients’ or other staff members’ data out of goodwill, such as to send a sympathy card. However, many staff breaches are due to mistakes, carelessness, and ignorance of HIPAA laws, the Bloomberg analysis found.
Because of the real risk in human error, Temple also suggests endpoint and perimeter protections that can monitor for unusual behavior on the network and alert key players to that behavior. “A big technology gap is the human beings who work at healthcare organizations,” says Temple, noting that bad actors gain access to systems through phishing emails. We constantly have to keep our people vigilant to not click or open things [when] they are not absolutely certain of the legitimacy of the source.”
Technology that provides encryption, two-factor authentication, secure messaging portals and automatic log offs can help when human error leaves PHI vulnerable, says Michelle Garvey Brennfleck, associate and healthcare attorney at Buchanan Ingersoll and Rooney, a Pittsburgh law firm and lobbying group.
“Technology that is as close to fool-proof as possible may limit vulnerabilities and associated risk.” Brennfleck adds. “This is particularly important in the HIPAA space where one negligent or bad actor can create high dollar exposure.”
Donna Marbury is a writer in Columbus, Ohio.