2019 seems to be the year of information breaches. 2019 is reaching the fourth quarter soon, but this year has already seen at least 25 million patient records breached; this is a staggering ten million more than in 2018.
The breaches seem to be getting larger as well according to the ten biggest healthcare data breaches, with more than 200,000 records breached at a time. Additionally, not all healthcare companies are reporting the breaches in a timely manner as required by law.
How can you establish trust as a healthcare provider or entity that safeguards patient data?
Image Source: https://www.trendmicro.com
This infographic timeline shows how there is an increasing trend of medical breach victims. Protecting patient data is more important than ever.
Protecting Patient Data
The Health Information Technology for Economic and Clinical Health (HITECH) Act was introduced to promote and expand the adoption of health information technology. HITECH protects private patient information by regulating who has access to patient records, how patients are notified when there is a breach, and how compliance laws related to HITECH and HIPAA are enforced.
The Department of Health and Human Services (HHS) is responsible for providing regular audits and establishing programs to improve healthcare quality, safety, and efficiency through the promotion of health IT, including electronic health records and private and secure electronic health information exchange.
The HITECH Act, one element of the American Recovery and Reinvestment Act, has listed eleven objectives to help develop a robust health technology program and better care for patients. Promotion of health information technology is the primary objective and has listed the ways in which HITECH:
- ensures that each patient’s health information is secure and protected, in accordance with applicable law;
- improves health care quality, reduces medical errors, reduces health disparities, and advances the delivery of patient-centered medical care;
- reduces health care costs resulting from inefficiency, medical errors, inappropriate care, duplicative care, and incomplete information;
- provides appropriate information to help guide medical decisions at the time and place of care;
- ensures the inclusion of meaningful public input in such development of such infrastructure;
- improves the coordination of care and information among hospitals, laboratories, physician offices, and other entities through an effective infrastructure for the secure and authorized exchange of health care information;
- improves public health activities and facilitates the early identification and rapid response to public health threats and emergencies, including bioterror events and infectious disease outbreaks;
- facilitates health and clinical research and health care quality;
- promotes early detection, prevention, and management of chronic diseases;
- promotes a more effective marketplace, greater competition, greater systems analysis, increased consumer choice, and improved outcomes in health care services; and
- improves efforts to reduce health disparities
One of the ways that HITECH protects patient data is through HHS conducting regular healthcare audits.
According to the Department of Health and Human Service website, the “HITECH [Act] requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of the covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.”
The OCR established a compliance enforcement audit that contains directives on who will be audited, how an audit is performed, the timeline of the audit, how consumers are affected by audits, and other such details.
“The audit program is an important part of OCR’s overall health information privacy, security, and breach notification compliance activities. OCR uses the audit program to assess the HIPAA compliance efforts of a range of entities covered by HIPAA regulations. The audits present an opportunity to examine mechanisms for compliance, identify best practices, discover risks and vulnerabilities that may not have come to light through OCR’s ongoing complaint investigations and compliance reviews, and enable us to get out in front of problems before they result in breaches. OCR will broadly identify best practices gleaned through the audit process and will provide guidance targeted to identified compliance challenges.”
These audits are designed to help improve patient care by updating old systems, catching flaws or oversights, and improving upon record management. Yet, if the 2019’s trend of significant medical breaches continues, it’s important to ask the question as to what to do should a breach occur.
As shown above, medical breaches are becoming more and more common. In an Accenture survey from 2017, medical breaches have led to consumers paying an average of $2,500 in out of pocket expenses. A staggering 25% of consumers have had their healthcare data stolen.
One of the difficult aspects of a medical breach is that it is not always the top priority of patients or doctors alike. If your child was diagnosed with a rare disease and had to see multiple specialists plus stay in the hospital intermittently through the year, the last thing on your mind is probably whether all that paperwork you filled out is going to be safe. You just want your child to be healthy and back in your home again.
The doctors and hospital staff are dealing with hundreds to thousands of patients and attempting to provide the best care possible. When budgeting for the hospital, staff might have to choose between purchasing a new MRI machine or updating the firewall. With 70% of hospitals indicating that they are not concerned about protecting patient data, it’s more important than ever to have laws regulating data protection.
This is why the HITECH Act is such a crucial addition to the medical legislation; regulating electronic records and enforcing tighter security measures helps doctors and staff focus on care. In addition to regularly conducted audits, the HITECH Act also implemented stricter non-compliance fines and notice of breach requirements.
Notice of Breach Requirements
One of the aspects of the HITECH Act was an introduction of requirements businesses must follow to notify patients of breaches.
Dave Kennedy, CEO of TrustedSEC LLC and healthcare security expert said, “As attackers discover new methods to make money, the healthcare industry is becoming a much riper target because of the ability to sell large batches of personal data for profit. Hospitals have low security, so it’s relatively easy for these hackers to get a large amount of personal data for medical fraud.”
The personal data gathered by hospitals is extremely valuable because insurance providers and patients may not be aware their data was compromised in the first place. Thieves can use patient credentials to obtain drugs or fake IDs.
Unlike credit cards, which banks closely monitor and will quickly shut down if any fraud is detected, insurers may not pay close attention to how patient credentials are being used. This means that medical data is far more valuable than even credit card data as director of threat intelligence at PhishLabs, Don Jackson indicated, “stolen health credentials can go for $10 each, about 10 or 20 times the value of a U.S. credit card number.”
With this information in mind, requiring that hospitals and other healthcare providers inform their patients of data breaches can mitigate damage and costs. The HITECH Act lays out exact regulations for how data breaches should be handled.
Breaches Affecting Fewer Than 500 Individuals
The rule for breaches affecting fewer than 500 individuals according to the HHS website is as follows:
“If a breach of unsecured protected health information affects fewer than 500 individuals, a covered entity must notify the Secretary of the breach within 60 days of the end of the calendar year in which the breach was discovered. (A covered entity is not required to wait until the end of the calendar year to report breaches affecting fewer than 500 individuals; a covered entity may report such breaches at the time they are discovered.) The covered entity may report all of its breaches affecting fewer than 500 individuals on one date, but the covered entity must complete a separate notice for each breach incident.”
Breaches Affecting More Than 500 Individuals
The rule for breaches affecting more than 500 individuals according to the HHS website is as follows:
“If a breach of unsecured protected health information affects 500 or more individuals, a covered entity must notify the Secretary of the breach without unreasonable delay and in no case later than 60 calendar days from the discovery of the breach. The covered entity must submit the notice electronically.”
Additionally, members of the media must also be informed of a breach affecting more than 500 individuals to help ensure that those who may miss a notice would be informed through other media sources. This rule implemented by the HITECH Act helps protect patient data by keeping the patient in the loop with their data.
One of the most important things any patient can do to prevent identity theft or sale of their data is to be cognizant of what data is where and who has access to it. It may seem like a lot to keep track of, but it is important to assume the mantle of responsibility when it comes to your personal data.
Nonetheless, healthcare providers and patients should be aware that relying on the government to prevent cybersecurity threats is a complex and overwhelming task. Relying on third-party companies like RSI Security can reduce the strain on government audits and regulations.
Minimizing Medical Breach Risks and Costs
Software and cybersecurity companies can help minimize medical breach risks and costs. The following suggestions can help augment changes already in place through the HITECH Act:
- Become and remain HIPAA compliant. This is a key task for any healthcare provider. It might seem difficult to obtain compliance, but not if you turn to helpful guides like keeping HIPAA compliance or consultations with RSI Security experts on becoming HIPAA compliant.
- Practice good data governance. Data governance is a philosophy that should be adopted by everyone in the organization from the CEO to medical secretaries handling phone calls and records. If you refer back to the infographic detailing how important it is to protect patient private data, look at the top three causes for data breaches within the healthcare industry. Number one is employee action (this could be anything from not properly securing data, falling for phishing scams, or disgruntled action against the employer) and number three is third party error. By practicing good data governance, these threats can be nipped in the bud.
- Monitor relationships with business associates. Cliche as it may sound, a chain is as strong as its weakest link. Healthcare providers should assess business associates that share patient data or have access to such data. Note whether these businesses themselves are also HIPAA compliant or whether they implement security best practices. Cybersecurity companies should be providing updates and reports on the nature of the healthcare provider’s security.
- Encrypt all data. This is an additional cost to a healthcare provider, however, properly encrypted data that is stolen, compromised, or lost does not require breach notification. Just note that in order to comply with HIPAA rules on encryption, the decryption key must be stored at a location separate from where the data is held that is encrypted or decrypted.
The HITECH Act was a much-needed amendment to HIPAA. The act updated many of the outdated practices that HIPAA could not have foreseen when it was first written into law. The following are the most important changes made.
- Amendments to privacy and security rules: HHS requires stricter rules and regulations than previously set by HIPAA . With an evolving world of technology, HHS indicated that “a major goal of the Security Rule is to protect the privacy of individuals’ health information while allowing covered entities to adopt new technologies to improve the quality and efficiency of patient care. Given that the healthcare marketplace is diverse, the Security Rule is designed to be flexible and scalable so a covered entity can implement policies, procedures, and technologies that are appropriate for the entity’s particular size, organizational structure, and risks to consumers’ e-PHI.”
- Enforcement rule updates: penalties for HIPAA/HITECH violations increased to $50,000 or up to $1.5 million for multiple infractions. HHS is more involved in enforcing regulations to protect patient data
- Changes to the definition of “breach”: HHS redefined what a breach entailed, and how to update patients according to the type of breach.
- Changes to the definition of “business associate”: HHS redefined what a business associate is requiring third party vendors who facilitate the data transmission to also be held responsible for private information breaches.
All these changes were specifically put in place to protect private patient data. Technology continues to evolve and the threat landscape shifts as a result. This is why it is crucial to the success of a healthcare company to seek help from qualified professionals like RSI Security for compliance and cybersecurity needs.