By Marshall Jackson and Alaap Shah

If you have tuned into the news over the last few months, you are likely aware that several major corporations—including one of the nation’s largest retail chains—have suffered data breaches. These breaches have affected hundreds of millions of consumers, and in some cases exposed sensitive financial data such as credit card information, as well as personal information including names, mailing addresses, phone numbers, email addresses, usernames and passwords.

There is no doubt that a primary concern raised by these data breaches is risk to consumers’ financial wellbeing. Chiefly, hackers that seek out personal information tend to sell or use the data to commit identity theft and credit card fraud. Yet, an often overlooked concern involves risk to the medical wellbeing of individuals. It is commonplace for retail chains to operate pharmacies within their facilities where electronic protected health information (“e-PHI”) is received, used, stored and transmitted. Although current information regarding known breaches does not indicate that pharmacy files were accessed, the vulnerability of e-PHI stored by these entities is a serious concern in the field of health care privacy. To manage these risks, entities should take heed of the privacy and security concerns raised in the most recent data breaches, and proactively craft comprehensive and sophisticated approaches to data security.

Historically, data security is reactive in nature: corporations store data on their systems; hackers break into the systems (or the systems of their business partners); companies, if aware of the breach, modify their security to prevent a similar data breach; hackers find a different weakness and again breach the system. This cycle continues ad infinitum.

While there is definitely value in defensive security, as cybersecurity risks grow and lead to increasing volume of data breach, healthcare entities may want to consider strategies to remain on the offensive when it comes to data security of e-PHI. The laws applicable to the security of e-PHI provide a flexible framework to address these risks, but most entities have not designed effect risk management programs to address risk proactively. Nevertheless, the HIPAA Security Rule requires entities to implement a number of technical safeguards which can be used proactively. For example, HIPAA requires audit controls to ensure entities have sufficient awareness about system activity (and specifically malicious activity). If reasonable and appropriate controls are put in place relative to these safeguards, companies can thwart hackers from gaining unauthorized access to e-PHI.

Offensive security requires a proactive mindset and approach to protecting computer systems, networks, and protected information from attack. While proactive security can take several forms, some liken the proactive approach to purchasing insurance. Assets are invested and measures are taken to protect against the risk that something will occur resulting in liability or loss. In the modern digital world it is often not a question of “if” but rather “when” a company will experience a data breach. According to a 2012 independent study by the Ponemon Institute, a staggering 94 percent of health care organizations have had at least one data breach in the last two years alone. The same study estimated that overall economic impact of a breach has risen six-fold over the last few years and now costs millions. With this in mind, here are just a few reasons why proactive data security should be a priority for health care entities:

1) Rapid & Continuous Evolution of Cyber Security Threats. Hackers are not only more sophisticated, they are more prevalent; threats to cyber security do not remain static in nature or volume. This unrelenting growth may be a result of the success rate of the illicit activity. Merely reacting to hackers’ successful attempts puts the industry at a major disadvantage because hackers are incentivized to evolve.

2) Ignorance. It is a common misconception that data security breaches are rare—more often data breaches go undetected or unreported. The simple truth is that no organization is immune, and may be an unwitting victim of a breach at any moment.

3) Monetary & Reputational Damage. Data breaches have a reverberating effect on a company. Damages are not limited to fines or sanctions, and they exceed the cost of mitigating the breach for consumers. Frequently, the greatest damage done is that to the company’s reputation. Consumers may second-guess their choice of providers based on an organization’s perceived failures, and the company’s reputation across the industry may diminish their competitive advantage for years to follow.

What Your Company Can Do

The prevalence of data breaches has led many to ask the question “Is proactive data security the solution?” There are many proactive measures that healthcare entities can implement to combat data breaches, the following summarizes just a few.

Risk Assessment

A risk assessment is the first critical step a health care entity should take when implementing a proactive data security plan. The HIPAA Security rule requires conducting risk assessments. Further, The National Institute of Standards and Technology (NIST) have placed great emphasis on conducting risk assessments as the foundation for data security. Risk assessments systematically identify vulnerabilities that even the most sophisticated organizations may not have anticipated. Identification of vulnerabilities can help a company stay ahead of hackers by knowing where to utilize security resources.

Invest in Data Security

Depending on the size of the company, data security may be a dual function for the company’s IT Department. Based on the severity of the potential risk, security should not be just one of many tasks for the IT department. According to a 2013 Ponemon Study, the average cost of a data breach exceeds $5 million without even considering reputational harm. Studies show that each year U.S. hospitals alone incur costs of an estimated $1.6 billion each year for security incidences. Although certain actions might initially seem redundant, measures such as establishing a dedicated data security team or department, appointing specific data-security personnel within an IT department, or investing in robust data security software and hardware, are all worthwhile investments which will likely prove less costly than a data breach.

Improve Audit Controls

HIPAA requires organizations to implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use e-PHI. Audit controls must be sufficient to examine system activity comprehensively. NIST audit control standards provide substantial guidance on conducting proactive system monitoring and activity logging. Audit controls give a company visibility into their own system, allowing them to recognize suspicious activity early in order to limit exposure and ultimately prevent full-blown data breach.

Conduct Breach Drills

Preparation is the key to mitigating damage that cannot be prevented. Similar to a fire drill, companies should maintain a plan for implementation in case of a data breach, and that plan should be put to practice regularly. HHS has teamed with HITRUST to launch CyberRx, an industry-wide effort to simulate cyberattacks. Twelve organizations will participate in these simulated cyber-attacks. The goal of CyberRx is to help industry participants identify ways to better prepare for, and respond to cyber-attacks. This is an exercise of great value and can be done independent of HHS. By preparing to respond to a breach, companies can ensure that damage will be contained as efficiently and effectively as possible when one occurs.

For updates on Health Privacy and Security follow Marshall Jackson on Twitter: @MJacksonJr_ESQ

Follow Alaap Shah on Twitter: @HealthITLawyers

Back to Health Law Advisor Blog

Search This Blog

Blog Editors

Related Services

Topics

Archives

Jump to Page

Subscribe

Sign up to receive an email notification when new Health Law Advisor posts are published:

Privacy Preference Center

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience. Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Strictly Necessary Cookies

These cookies are necessary for the website to function and cannot be switched off in our systems. They are usually only set in response to actions made by you which amount to a request for services, such as setting your privacy preferences, logging in or filling in forms. You can set your browser to block or alert you about these cookies, but some parts of the site will not then work. These cookies do not store any personally identifiable information.

Performance Cookies

These cookies allow us to count visits and traffic sources so we can measure and improve the performance of our site. They help us to know which pages are the most and least popular and see how visitors move around the site. All information these cookies collect is aggregated and therefore anonymous. If you do not allow these cookies we will not know when you have visited our site, and will not be able to monitor its performance.