More health care organizations on HIPAA’s hit list

To avoid penalties, facilities should step up risk management, including cyber insurance

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

When the Health Insur­ance Porta­bil­i­ty and Account­abil­i­ty Act (HIPAA) became law in 1996, the inter­net was an infant. Physi­cians walked around with paper charts. A tablet referred to a pill. And the typ­i­cal cyber attack aimed to deface a website.

But with the evo­lu­tion of the elec­tron­ic age, the major­i­ty of the near­ly 1.2 bil­lion annu­al med­ical vis­its in the Unit­ed States are doc­u­ment­ed, stored and shared in elec­tron­ic form.

And the threat land­scape has been evolv­ing as well.

Kurt Roemer, Citrix chief security strategist
Kurt Roe­mer, Cit­rix chief secu­ri­ty strategist

Now that (the records) are online and con­nect­ed across mul­ti­ple providers and exchanges, there will be more breach­es if noth­ing else is done (for secu­ri­ty),” says Kurt Roe­mer, chief secu­ri­ty strate­gist for Cit­rix, which pro­vides secu­ri­ty tools.

Relat­ed essay: Why check-box HIPAA com­pli­ance is a bank­rupt strategy

In response, fed­er­al author­i­ties have stepped up enforce­ment actions against health care orga­ni­za­tions that vio­late patient pri­va­cy rules under HIPAA. As a result, the num­ber of sanc­tions has reached record levels.

HIPAA violationsIn August, Advo­cate Health Care Net­work agreed to pay a record $5.55 mil­lion HIPAA set­tle­ment for a series of 2013 data breach­es affect­ing 4 mil­lion patients.

That case was the tenth closed this year by the Depart­ment of Health and Human Ser­vices’ Office of Civ­il Rights (OCR), sur­pass­ing any pre­vi­ous year since HIPAA became law.

Set­tle­ments send a message

And the fines levied by OCR in 2016 have been hefty, aver­ag­ing just over $2 mil­lion per sanc­tion. This stepped-up enforce­ment is no doubt send­ing a mes­sage to health care providers.

Matt Mellen, Palo Alto Networks security architect
Matt Mellen, Palo Alto Net­works secu­ri­ty architect

There’s a clear upward trend,” says Matt Mellen, secu­ri­ty archi­tect for health care with Palo Alto Net­works, which pro­vides a next-gen­er­a­tion cyber­se­cu­ri­ty plat­form. “Ten fines in one year is def­i­nite­ly enough to get the atten­tion of health care organizations.”

The trend also is reflect­ed in the num­ber of inci­dents report­ed by HIPAA-cov­ered enti­ties. OCR’s data­base, which only includes inci­dents that impact 500 or more indi­vid­u­als, shows a steady growth each year.

In 2010, 198 inci­dents were report­ed to OCR, com­pared to 296 in 2014 and 269 last year. This upward trend has been doc­u­ment­ed in var­i­ous cyber­se­cu­ri­ty reports, includ­ing IBM’s 2016 Cyber­se­cu­ri­ty Intel­li­gence Index, which put health care at the top of all oth­er indus­tries for the num­ber of data breaches.

And accord­ing to Ponemon’s recent “State of Cyber­se­cu­ri­ty in Health­care Orga­ni­za­tions in 2016,” near­ly half of the 535 respon­dents said their health care orga­ni­za­tions expe­ri­enced an inci­dent in the past 12 months involv­ing loss or expo­sure of patient data.

The sec­tor is clear­ly strug­gling to keep up with the threats, but the prob­lem is not the law itself, says Niam Yaraghi, a fel­low at the Cen­ter for Tech­nol­o­gy Inno­va­tion at the non­prof­it Brook­ings Insti­tu­tion.

Putting teeth into the law

HIPAA is a fair­ly good law,” he says. “The prob­lem is that health care orga­ni­za­tions con­sid­er it as the ulti­mate lev­el of secu­ri­ty that they have to imple­ment, and they do not have any incen­tive to go beyond HIPAA.”

Jodi Daniel, a key draft writer of HIPAA’s Privacy Rule and Enforcement Rule
Jodi Daniel, a key draft writer of HIPAA’s Pri­va­cy Rule and Enforce­ment Rule

When the rules first came out … the focus of enforce­ment was on edu­ca­tion and pro­mot­ing vol­un­tary com­pli­ance,” says Jodi Daniel, who worked for the Depart­ment of Health and Human Ser­vices for 15 years and was one of the key draft writ­ers of HIPAA’s Pri­va­cy Rule and Enforce­ment Rule. The goal was to help the indus­try “get it right, as opposed to penal­iz­ing them for get­ting them wrong.”

The first OCR settlement—$100,000—didn’t come until 2008. And over the next three years, there were only a total of six. The pace picked up in 2012, as has the aver­age amount of the settlements.

What hap­pened in the mean­time was the pas­sage in 2009 of the Health Infor­ma­tion Tech­nol­o­gy for Eco­nom­ic and Clin­i­cal Health Act. The HITECH Act dra­mat­i­cal­ly expand­ed the penal­ties, based on “increas­ing lev­els of cul­pa­bil­i­ty,” and increased the max­i­mum to $1.5 mil­lion instead of $25,000 per iden­ti­cal vio­la­tion. It also extend­ed HIPAA to busi­ness associates.

The addi­tion of busi­ness asso­ciates was sig­nif­i­cant, con­sid­er­ing that a large num­ber of breach­es are attrib­uted to third-par­ty incidents.

Risk man­age­ment more important

The increased OCR enforce­ment also is putting an empha­sis on risk man­age­ment. Of the 39 set­tle­ments to date, at least 14 includ­ed lack of risk assess­ments among the violations.

Palo Alto’s Mellen says OCR’s empha­sis on risk man­age­ment is a pos­i­tive trend.

The risk man­age­ment process is designed to iden­ti­fy all the poten­tial threats to patient data and allows you to define action plans to mit­i­gate those risks,” he says.

Cyber attacks, in par­tic­u­lar, pose a big­ger threat to patient pri­va­cy than oth­er types of breach­es. Yaraghi’s report shows that near­ly 120 mil­lion peo­ple were affect­ed by about 150 inci­dents involv­ing cyber attacks vs. a lit­tle over 20 mil­lion peo­ple affect­ed by about 700 inci­dents involv­ing theft (lap­tops, media, etc.).

And the num­ber of hacking/IT inci­dents is see­ing a dra­mat­ic increase. Those report­ed to OCR between 2010 and 2014 grew from nine to 32. In 2015 there were 57; this year through August there already have been 51.

Niam Yaraghi, Niam Yaraghi, fellow at the Center for Technology Innovation
Niam Yaraghi, Niam Yaraghi, fel­low at the Cen­ter for Tech­nol­o­gy Innovation

Yaraghi is a pro­po­nent of a third-par­ty HIPAA cer­ti­fi­ca­tion sys­tem to serve as a pre­ven­ta­tive mea­sure. But a true eco­nom­ic incen­tive, he believes, would be cyber­se­cu­ri­ty insur­ance. He rec­om­mends every health care orga­ni­za­tion have a policy.

Health care orga­ni­za­tions will have to take secu­ri­ty into account to reduce the cost of pre­mi­ums,” he says.

In the mean­time, the increased OCR enforce­ment could cre­ate a stronger incen­tive for health care orga­ni­za­tions to step up cyber­se­cu­ri­ty. It will also get the atten­tion of boards of direc­tors, Citrix’s Roe­mer says.

It would make it more dif­fi­cult for the health care insti­tu­tions and their boards to casu­al­ly say they aren’t going to invest in secu­ri­ty,” Roe­mer says. “It will def­i­nite­ly dri­ve some changes in behavior.”

More sto­ries relat­ed to HIPAA and health records:
Hos­pi­tal hacks show HIPAA might be dan­ger­ous to our health
Encrypt­ing med­ical records is vital for patient security
Health­care data at risk: Inter­net of Things facil­i­tates health­care data breaches


Posted in Data Privacy, Data Security, Featured Story