Signed by President Bill Clinton, the Health Insurance Portability and Accountability Act [HIPAA] of 1996 was enacted to protect the privacy rights of patients through the development of national standards for electronic healthcare transactions. In conjunction with this act, the Health Information Technology for Economic and Clinical Health (HITECH) Act focuses on improving the American healthcare system through the increased focus on healthcare IT. Both of these acts play a large role in the ongoing discussion surrounding security and privacy breaches of Electronic Medical Records (EMRs) in the healthcare industry.
HIPAA and HITECH require companies to not only keep detailed procedures to be followed in the event of a breach, but to also practice them and keep current on any developments in the law. There’s a really good reason for demanding this, too. In 2010 – 2011 Covered Entities, which include health care providers, health plans and health care clearinghouses, reported 18,750 small breaches – defined as breaches affecting Personal Health Information (PHI) from fewer than 500 patients. In the same period at least 525 major breaches, were reported and investigated by the Department of Health and Human Services (HHS).
Smaller breaches are obviously much more common, but the number of people affected by major breaches is staggering. With fewer than one major breach in the US per day, over 21 million patients had their protected health information illegally disclosed. Covered Entities can’t claim ignorance – HIPAA became law in 1996, and most organizations were given as long as twelve years to become compliant. Despite the best efforts of government and industry, nearly one in ten Americans has personally suffered a breach in their own medical privacy. The small breaches alone cost the Covered Entities more than $5,000,000.
At a glance it might appear that the rules aren’t working. Millions of people are being exposed to unnecessary risk, including identity theft and other fraud. If nothing else, that’s a justifiable case to be angry and feel violated. So what’s going on?
Data breaches in the healthcare industry are unusual in three dimensions: the over-representation of internal breach sources, the over-representation of healthcare in overall number of breaches and the dubious distinction of being the industry with the longest hang time from breach to discovery, to patch to prosecute.
Overwhelmingly, security breaches happen internally. Internal data leaks aren’t unusual – across every type of organization you can find an employee entrusted with information they shouldn’t have access to. These employees can have malicious intentions, selling the internal data they’ve acquired to the highest bidder. The back alleys of the internet are heaving with them. They run a black market trade of personal information. Everyone has seen the prime time exposés and the insurance commercials on CNN. Identity theft is real, and it’s lucrative.
Despite the frequent HIPAA investigations and successful prosecutions, the fire sale of personal data continues, and healthcare information is available in practically unlimited quantities. Are hackers really stealing your anti-histamine prescription history and your BMI data since birth? Of course not. They’re stealing your SSN, your contact information, your insurance data, your address, and in some cases your credit card number.
It’s more difficult to come by credit card data online, as credit card clearing houses and issuers understand the valuable nature of payment card data, and have developed a policy to enforce its safeguarding. The policy has sharp teeth, too. Merchants who repeatedly violate the requirements may be fined, held liable for damages arising and much worse, barred from processing credit cards. Financial risks for breaches in the healthcare sector, while they add up to millions of dollars, are much lower than for credit card data loss. This makes healthcare an attractive target for a risk-minded criminal.
While healthcare data is invaluable to the patients affected, the cost that’s applied to its mishandling is appallingly low when compared to data breaches in other industries. Recent data shows that six months of healthcare data breaches in the US cost the entire healthcare sector under $3 million. While seeming high, that figure pales in comparison to the almost $26 million spent in the education sector. While regulations are having an impact, it’s clear that this area is not one protected enough.
HHS reports show that organizations have taken the regulations and deadlines seriously, with the vast majority having claimed to be compliant on time. Audits of these claims were also mostly positive. Very few successful breaches took place by hacking attempts, suggesting that organizations are doing an admirable job maintaining secure IT environments.
The mix of these statistics and observations leads me to conclude that the healthcare industry still lacks a strong security culture. To be fair, this culture doesn’t develop overnight. People are mostly raised to be polite and trusting, and a strong security culture works against that. A strong security culture means speaking up when you see someone without a badge or walking around with stacks of confidential files. Over time, employees will feel more comfortable with not holding doors open for people and expecting to see all fellow employees or contractors wearing a piece of corporate identification. Initially the change may be uncomfortable, but expecting higher security standards will become commonplace over time.
HIPAA and HITECH are steps in the right direction for protecting the privacy of patients. While security regulations are beginning to take shape, the lack of serious consequences has made security adoption slower in healthcare, compared to other industries. If HHS is serious about making patient privacy a priority it’s time they beef up their enforcement strategy. While HITECH is an attempt to stem the flow of breached PHI, it has seen limited success. It’s time for larger fines and heavier penalties for those who continue to violate the rules.