By now, many, if not most, of your facilities have transitioned to electronic health records, a move that is supposed to facilitate communication between health care providers and provide coordination of care for patients. Security measures have been put in place to ensure the privacy of patients, and the HHS threatens hefty fines for facilities that experience breaches of security. But a disturbing statistic calls these measures into question: a recent Internet security threat report by Symantec showed that health care had the highest percentage of data breaches of any sector: 43%, compared to government (14%) and education (13%).1
Breaches seem to abound. Among others:
- A hack into health records in Utah resulted in the theft of 780,000 claims, some of which included Social Security numbers. Officials claim to have a strong, multilayered defense, but the stolen data had been “lingering on state computers for months, instead of being erased within a day” and was unencrypted because it wasn’t required by federal regulation. A single password (and a weak one at that) was all it took to get to the data.1,2
- A laptop with 34,500 records of patients at Howard University Hospital was stolen from the car of a former contractor. These records, too, were unencrypted; but the bigger question is, why was the contractor allowed to put the data on his personal laptop.1
- TRICARE, which provides civilian health benefits for our military and their families, lost backup tapes with the files of 4,901,432 patients.3 The backup tapes may have included Social Security numbers, addresses, and phone numbers and some personal data such as clinical notes, lab tests, and prescriptions. Covered entities must promptly notify affected individuals of a breach, as well as the HHS Secretary and the media in cases where a breach affects more than 500 individuals.5 These are posted on the HHS Web site at: www.hhs.gov/ocr/privacy/hipaa/administrative/breachnotificationrule/breachtool.html
Between 2003 and 2011, there were more than 22,000 complaints about violations of HIPAA’s privacy rule.3 What’s the problem? Lisa Gallagher, senior director, privacy and security, at the Healthcare Information and Management Systems Society (HIMSS), says that entities were not prepared when HHS mandated transition to EHRs and offered incentives to facilities that made the change. Facilities (and physician offices) need to have a policy, she says; IT groups need to get involved in policy making, eg, no downloading of patient information.
“They need to put in place technical architectures such that storage on a device is not required. For instance, an employee could view the information in a database, but not download it to a device,” Gallagher says.
She adds that the simplest and first step for institutions is to sit down and decide on the policy, codify it, educate employees about it, and monitor them so that they are not skirting the rules.
“A lot of it is in the category of administrative control,” Gallagher says. “First they need to put policies in place; but we find that organizations don’t, especially with portable devices like smart phones. Employees start using them before the IT departments even know about it. They need to stay ahead of it and put policies and procedures in place and make a big deal of it.”
HIMSS has six privacy and security tool kits on its Web site. It offers different resources depending on what the facility needs: There is one on cloud security, others on mobile security and risk assessment. There are sample policies and sample user agreements; examples of how other organizations have solved the problems. Access the tool kits at: www.himss.org/ASP/topics_pstoolkitsDirectory.asp?faid=569&tid=4.
Gallagher says that one thing institutions tell her is that they want to learn from what their peers are doing, adding, “That’s what we try to facilitate. That’s important. We can tell them these are solution that are already working.”
These are institutions that are focused on helping people, says Gallagher—”they want to do the right thing.”
— Marian Benjamin
- Roiter N. Latest wave of healthcare date breaches. Available at: www.securitybistro.com/blog/?p=1450. Accessed June 6, 2012.
- Associated Press. Hacked Utah health data guarded by weak password. Available at: www.heraldextra.com/news/local/hacked-utah-health-data-guarded-by-weak-password/article_b3b55158-9533-11e1-82b2-001a4bcf887a.html?print=true&cid=print. Accessed June 6, 2012.
- Schultz D. Kaiser Health News. As patients’ records go digital, theft and hacking problems grow. Available at: www.kaiserhealthnews.org/Stories/2012/June/04/electronic-health-records-theft-hacking.aspx. Accessed June 6, 2012.
- Merrill M. Lost TRICARE backup tapes could expose nearly 5 million records. Available at: www.govhealthit.com/news/lost-tricare-backup-tapes-could-expose-nearly-5-million-records. Accessed June 6, 2012.
- HHS issues rule requiring individuals be notified of breaches of their health information. Available at: [removed]www.hhs.gov/news/press/2009pres/08/20090819f.html.[/removed] Accessed June 6, 2012.