May 12, 2016
Yesterday, the Children’s National Medical Center announced yet another major security breach, this one involving Ascend, a former business associate that provided medical transcription services between May 2014 and June 23, 2014. Children’s National learned on February 25, 2016 that a misconfigured file site that contained patient information “allowed access from the Internet to transcription documents for as many as 4107 patients via a File Transfer Protocol (FTP) server from February 19, 2016 to February 25.” There are several alarming facets of this incident that underscore the complexity of today’s hospital information security environment — and they provide important lessons. A few simple observations:
Lesson 1: This is CNMC’s second data breach; the first occurred between July and December 2014 when hospital employees succumbed to phishing exploits, exposing the PHI of 18,000 patients. The hospital has been sued, which remains an ongoing disruption and huge expense. What happened to the old adage “once bitten, twice shy?” In other words, why didn’t the hospital prevent this from happening again?
The lesson: You have felt the pain, and you should figure out how to prevent a reoccurence. Your IT department and security office must make this a priority, starting with a comprehensive security assessment.
Lesson 2: This most recent breach apparently was caused by a mistake of a vendor business associate (BA). Important: the hospital’s systems were not breached by a malicious hacker or compromised by unwitting employees. Instead, this incident highlights the dangers inherent in business associate relationships and the need to manage those relationships. In many hospitals across the country, a business associate agreement is a piece of paper — not a plan that needs managing. As we reported recently from a Ponemon survey, “87% of BAs have experienced electronic data security incidents in the last two years, in contrast to 65% of healthcare providers and payors. Nearly 60% of all [BA] participants said their incident response process had inadequate funding and resources, and the majority had not performed risk assessments.”
The lesson: Manage your business associates as diligently as Accounts Receivable manages the checks that come in the door. If you don’t, the money (and your reputation) will go right back out the door.
Lesson 3: CNMC’s latest breach occurred more than a year and a half after the business association ended. For shame. According to CNMC, “Ascend was contractually obligated to delete all Children’s patient information.” Absolutely true, assuming the BA agreement included this requirement, and to be fair (since these agreements have a lot of boilerplate language) it probably did. But, when the agreement was signed by executives, did anyone filter this down to the rank and file to ensure deletion of PHI? Since making revenues has a higher priority than cleaning up systems post-contract, this important step probably was never taken.
The lesson: The 2013 Omnibus HIPAA regs make business associates just as financially liable for breaches as covered entities. Most BA’s don’t know this. They must be attentive to the obligations they have taken on when they are working in healthcare. Read our 7-page summary of Omnibus HIPAA and get hopping.
Another day, another security breach. I will be visiting a physician this week who undoubtedly outsources his transcription. He’s a good doctor. But will my PHI be accessible through some hole in transmission or through a vendor system? As a patient, I have to be concerned. As a healthcare IT systems consultant, I know such security compromises can be prevented. If I were a provider, I would probably have to weigh priorities such as overall patient care, budgets, board worries, staff limitations and more.
In the end everyone wants better patient care, and we have seen much improvement as a result of incorporating ingenious new IT systems. But,despite the foresight of federal HIPAA leaders, we are still putting the cart before the horse — bringing in software and hardware capabilities without adequate or well-managed data protection, and jeopardizing our own security.
To all healthcare providers, HIT vendors, payors … let’s cross the Rubicon now, before it becomes an unnavigable flood plain.