By Marshall Jackson and Alaap Shah
If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.
There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.
Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.
While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.
Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:
1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.
2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.
3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.
What Your Company Can Do
The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.
A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.
Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.
HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.
Conduct Breach Drills
Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.
For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ
Follow Alaap Shah on Twitter: @HealthITLawyers