The news has been filled with examples of high profile healthcare data breaches recently. February’s huge Anthem breach is notable because it potentially affects 80 million people, over twice the number of individuals reported on the HHS “Wall of Shame” of medical data breaches since it was created over a decade ago. That website reports an alarming number of breaches already this year, with about 350,000 more individuals affected, primarily by breaches of electronic data, but also because of improper disclosure of paper and films.
The consequences of a breach can be significant:
Large fines. In recent years OCR has been increasingly levying large fines for healthcare data breaches. Examples can be seen here. Note that while some physician group fines are in the $100,000 range, most of the healthcare provider fines are larger: New York and Presbyterian Hospital and Columbia University have paid a combined $4.8 million dollars in civil penalties.
High costs to investigate and resolve the security hole that caused the breach. Anthem, for example, has engaged a leading cybersecurity firm at significant cost to conduct forensic analysis to determine the circumstances of the breach, and identify exactly which records were compromised.
Increased (and uncomfortable) scrutiny. In a larger breach, particularly where outside forces were involved, the government is likely to get involved twice. Anthem must cooperate with investigations by the FBI, and depending on the final analysis, may be subject to more scrutiny from the Office for Civil Rights, because the breach included identifying information about their covered consumers.
Reputational Harm. The news media is very vigilant about data breach cases, and it is required that large breaches are reported to the HHS “Wall of Shame.” In addition, media releases to inform affected parties may be necessary. The upshot can be significant, and cause long lasting harm to an organization’s reputation.
Examine these costs and imagine the panicked activity that would ensue in your organization after a breach. Unfortunately, this activity will amount to nothing more than closing the stable door after the horse has bolted.
What is needed is an objective investigationbefore the breachever occurs. By definition, even the most well-intentioned internal individuals are unlikely to be fully objective, particularly if they hold either direct or indirect responsibility for security.
HHS Breaches by Source
When Phoenix is asked to help an organization understand its level of security compliance, our approach is to conduct a mock audit of the organization’s security. We examine in detail and make recommendations about:
The organization’s risk analysis. Almost every recent breach related settlement by OCR has included statements about the covered entity’s inadequate understanding of the actual risks that caused the breach. In many cases, OCR specifically has noted the generally poor quality of the organizations’ risk analyses. Most of the cases I’ve seen began with just such failures. For example, in most of our security assessments, we’ve documented many instances where existing policies are not followed. As any good compliance officer will tell you, if a security case ends up in litigation, it is almost always worse to have a policy that’s not followed, than to have not recognized the need in the first place.
Policies and procedures. These must meet HIPAA and best practice requirements, and be accessible. In many organizations, existing policies are woefully out of date, unchanged from the earliest days of HIPAA security compliance requirements. Often they are incomplete, and do not cover issues created by advancing technologies or other environmental changes. They also may not reflect the many changes in HIPAA requirements, such as those in the 2013 “Omnibus” HIPAA rules. (You can download our complete analysis of Omnibus HIPAA here.) Reviewing and analyzing your policies and procedures to determine needed updates is a painstaking but necessary part of a proper security assessment.
Compliance with the policies and procedures. Some organizations go for exhaustive examination — others, minimal. Obviously, we recommend a thorough approach. Either way, we typically uncover a number of areas where practice is not in line with the stated approach. One easy example is to compare a Human Resources list of recently terminated personnel against system access.
Physical security posture. A quick examination of the HHS list of reported breaches shows that an overwhelming number of them result from theft and improper disposal. Again, examinations of the vulnerability of computers, other devices, and other data sources in an organization typically uncover many areas of risk.
Technical issues, including encryption. Issues with laptops and unencrypted media also figure highly in the HHS reports. Technical security, including the use or non-use of encryption is certainly important, but the more likely breach scenario is that a technical breach (e.g. a hack) is caused by an administrative security issue. In the Anthem case, for example, access appears to have been accomplished via compromised administrator passwords. The attackers initially ran a database query containing the data using the accounts of 5 system administrators, each of whom probably had legitimate access to the data set.
Doing an objective security assessment — the more thorough the better — before a breach ever occurs, obviously makes a lot of sense. Hospitals can significantly reduce or eliminate the risk of fines, damage to their reputation, and ongoing uncomfortable scrutiny in the future. They will also spend much less, and experience little disruption in comparison to managing a panicked after-the-fact forensic analysis.
Nevertheless, the HHS record shows that many healthcare organizations have not made such assessments a priority — or updated their risk analyses and improved their security protections where needed. And they’ve been caught “red-handed” by breaches.
Today, such lack of proactiveness on the issue of security — by any healthcare organization — simply makes no sense.
If you’d like to know more about security assessments and how to help prevent a breach in your organization, contact us!