By: Alaap Shah and Marshall Jackson
Data is going digital, devices are going mobile, and technology is revolutionizing how care is delivered. It seems to be business as usual, as your health care organization continues to digitize its operations. You have even taken measures to help guard against the “typical” risks such as lost laptops, thumb drives and other electronic devices. However, unbeknownst to you, hackers sit in front of their computers looking for ways into your network so that they may surreptitiously peruse through confidential financial records and sensitive patient information.
Unfortunately, this scenario is commonplace, and brings with it hefty costs. To the extent electronic protected health information (“e-PHI”) is compromised in a cyber security breach, health care entities can expect to spend on average $233 per record to clean up the problem. As health care operations digitize, organizations should be cognizant of the cyber security risks impacting the data that flows through their systems. Further, health care entities need to understand how to assess and manage these risks to meet Health Insurance Portability and Accountability Act (“HIPAA”) and Health Information Technology for Economic and Clinical Health Act (“HITECH”) requirements.
The facts of “cyber” life…
Although health care organizations have not always been a primary target for a cyber-attack, hackers are recognizing the value of data held by health care companies. Research indicates that electronic data in the health care sector is among the most vulnerable. Additionally, health care entities account for the highest percentage of incidents, more than one-third of all data breaches in the country. In one report 94% of health care entities have experienced security breaches impacting their data. Moreover, patients have experienced over a 19% increase in medical identity theft due to cyber security breaches over the last year.
Even given what we know, much of cyber security related breaches remains uncertain. There are namely two reasons for this uncertainty:
- Most cyber security breaches go undetected; and
- Many cyber security breaches go unreported.
Across all industries, one report asserted that approximately 69% of cyber security breaches go undetected. Of those breaches that are detected, 94% are unreported until months or longer until finally being discovered. Yet, there is one certainty in this climate—There are only two types of organizations: those that have already been hacked and those that will be at some point . . . .
Why cyber security is important now more than ever…
Recently, there has been increased scrutiny given the increased risk of data breaches. The Health and Human Services, Office of Civil Rights (“OCR”) has responded to data breaches by aggressively enforcing HIPAA, which reinforces that compliance with HIPAA requirements is a top priority. Chiefly, the HIPAA breach notification rule was amended to lower the reporting threshold from a “risk of harm” standard to a “probability of compromise” standard. As a result, the health care industry will see increased breach reporting, which will likely result in increased enforcement for noncompliance. This is bad news for health care companies because penalties for noncompliance with HIPAA have also been ramped up under the HIPAA Final Rule promulgated under HITECH.
With an increased focus on data breaches under HIPAA and HITECH, health care organizations don’t want to be the last to know how their e-PHI is being compromised. Not understanding the organizations cyber security threats can be:
- Bad for patients because it can lead to identity theft;
- Bad for the organization because regulators may use that as evidence of noncompliant security practices; and
- Lead to noncompliance with reporting obligations under HIPAA and HITECH.
In addition to increased enforcement on the part of OCR, the FBI has joined the effort to investigate cyber security breaches. For example, in October 2013, the FBI opened an investigation of a cyber security breach affecting a network of hospitals and clinics, in which someone gained unauthorized access to the medical records of up to 1,800 patients.
The FBI also recognized that collaborative efforts are needed to solve the cyber security problem. These include investigating insider threats, detecting external threats, and informing the health care industry of cyber security threats. However, even with these collaborative efforts, health care organizations must be cognizant that assistance from the FBI could lead to increased scrutiny about the organization’s security practices. As such, proactive cyber security risk management is the best approach to ensure compliance with HIPAA and HITECH.
What can you do…
The stakes are getting higher regarding cyber security and HIPAA compliance. However, there are several steps health care organizations can take to protect against cyber security data breaches. Further, taking these steps can protect health care companies in the context of increasing investigatory activity on the part of OCR and other agencies, such as the FBI.
First, organizations should conduct periodic risk analyses to determine cyber security related risks. The risk analysis can help organizations to:
- Identify key systems and locations;
- Determine where e-PHI is located;
- Identify vulnerabilities and threats;
- Evaluate security safeguards; and
- Evaluate risk to e-PHI.
Second, health care organizations should evaluate whether the draft cyber security framework established by the National Institute of Standards and Technology (“NIST”) can improve the organization’s risk management process. The NIST cyber security framework contains five core elements, which help an organization:
- Identify critical infrastructure,
- Protect the organization’s critical infrastructure using appropriate safeguards,
- Detect cyber security events,
- Respond to cyber security events using pre-defined and prioritized activities, and
- Recover from cyber security events to restore critical infrastructure.
The framework’s core elements then further subdivide into categories and subcategories and provide cross-references to a number of different standards from industry and government that address each subcategory within those functions. Health care organizations can review these references and select the standard that best addresses the organization’s particular needs. Note that the cyber security framework is currently open for discussion, which means the components may change when the framework is finalized.
Ultimately, as the health care industry continues to digitize, organizations must be cognizant of the cyber security risks affecting their networks, systems and data. Further, as the number of cyber security related breaches increases, health care companies must prepare to identify and report such breaches as required by HIPAA and HITECH. Yet, to avoid the pain and cost of recovering from a breach and also paying hefty fines for noncompliance with HIPAA, health care companies should proactively leverage HIPAA risk analyses (potentially incorporating the NIST cyber security framework) to identify, prioritize, mitigation and monitor risk affecting ePHI.
Follow Alaap Shah on Twitter: @HealthITLawyers