The following is an excerpt from Protecting Patient Information by author Paul Cerrato and published by Syngress. This section from chapter two explores what happens after a data breach in healthcare.
"Motives aside, data privacy, security, and breach response planning efforts are often not a fiscal priority in the C-suite, leaving patients, reputations -- and the bottom line -- at severe risk." That assessment was made in a 2012 article in Forbes Magazine. Does it still hold true today?
Statistics bear out the fact that many healthcare executives believe that there are many other fiscal priorities that need to come before investment in stronger cybersecurity. For example, a recent survey conducted by the Healthcare Information Management Systems Society (HIMSS) found only 64% of hospitals and medical practices have put encryption software in place to protect patient data as it is transported from one location to another. Similarly, a survey conducted by the Ponemon Institute, a research center focused on data security, found that 73% of healthcare organizations have yet to implement the necessary resources to prevent data breaches or detect them once they occurred. A separate survey found that only 42% of healthcare providers were planning to put encryption in place and only 44% are planning to set up single sign on and authentication on their web-based applications and portals.
These statistics strongly suggest that decision makers in the healthcare community still see the need for more security as unwarranted. Some may even suspect that the call for more security is just an alarmist rant by information security specialists or vendors hoping to sell more software and hardware. That argument might stand up to scrutiny, were it not for the long list of data breaches that have been reported in the last few years -- many of which were preventable.
The United States Department of Health and Human Services Office of Civil Rights (OCR) publishes a comprehensive list of healthcare data breaches in the US (Fig. 2.1). As of March 27, 2015, it contained 1184 breaches that affected 500 or more individuals. This so-called "Wall of Shame," which can be viewed at https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf, includes some massive attacks, such as the one that compromised 78,800,000 individuals at the large medical insurer Anthem -- reported to HHS on 3/14/13 -- the breach that exposed 11,000,000 members of Premera Blue Cross (3/17/2015), and the one
that occurred at Community Health Systems (4.5 million), which was submitted to HHS on 8/20/2014. Several smaller organizations and individual clinicians have also been embarrassed by having their breaches posted on the site. Clinicians in Ohio, Texas, and California, for example, are included on the list by personal name, along with how many patient records were exposed in each facility and the type of breach that occurred, for example, theft, hacking, unauthorized access or disclosures, and/or improper disposal of records.
OCR is required by Section 13402(e)(4) of the Health Information Technology for Economic and Clinical Health (HITECH) Act to post any breach of unsecured protected health information (PHI) affecting 500 or more individuals. Even more disturbing for small medical practices and community hospitals is the fact that federal officials are now going after providers who have experienced PHI leakages that affect fewer than 500 individuals. In 2013, Health and Human Services announced that the Hospice of North Idaho had to pay $50,000 for violations of the Health Insurance Portability and Accountability Act (HIPAA) because the facility allowed an unencrypted laptop with PHI for 441 patients to be stolen. In the words of Leon Rodriguez, the Director of the Office of Civil Rights at the time: "This action sends a strong message to the healthcare industry that, regardless of size, covered entities must take action and will be held accountable for safeguarding their patients' health information…. Encryption is an easy method for making lost information unusable, unreadable and undecipherable."
OCR is currently making plans to not only investigate healthcare organizations that have reported data breaches but to catch delinquent providers off guard by re-launching a program that audits providers who have not reported any incidents. A pilot project that started in 2011–2012 revealed several shortfalls. Mark Fulford, a partner at LBMC, an accounting and consulting firm in Brentword, TN, explains: "The 2012 OCR audits revealed the healthcare industry at large had not yet begun to take compliance seriously. An astounding two-thirds of audited entities had not even performed a complete and accurate risk assessment, which is the first step in putting a security strategy in place."
That initial series of about 100 audits found that many providers had neither taken basic steps to protect their networks, nor were they able to identify their vulnerabilities -- an important requirement spelled out in the federal regulations that I will discuss in chapter 4: Risk Analysis. Some organizations did not even know where their PHI resided. And they could not say definitively what data had been stored in those mysterious locations.
Adding insult to injury, OCR found many employees were accessing data from unsecured mobile devices in public locations. Similarly, the audits indicated that many healthcare organizations were not training staff on how to manage PHI. The Civil Rights office has not only published the general approach it used for auditing providers, which will give you some sense of what you may face in the future, but it also warns that these protocols are in the process of being updated for use in the next round of audits. In the past, OCR has divided its approach to the auditing process into three broad categories: administrative risks, physical risks, and technical risks. In all likelihood, it will take a similar approach when it launches its next series of audits.
The cost of insecurity is steep
If you are responsible for the financial welfare of your organization, no doubt one question that comes to mind is: How much will it cost me if I do not adequately safeguard our PHI? Although protecting patient information involves legal and ethical issues, let us just focus on the financial issues for the moment.
It is estimated that healthcare organizations spend about $6 billion a year as a result of data breaches. Since that does not tell you much about the cost of a breach to in individual provider, one has to look more closely at specific expenses. If your patients' PHI is compromised and a federal investigation determines that your organization shares some of the responsibility for that data loss, expect each violation to cost between $100 and $50,000. That is per patient record. So a stolen laptop containing unencrypted records of 1,000 patients can cost the practice between $100,000 and $1.5 million in penalties alone. (Although $50,000 × 1000 = $50 million, the government caps these penalties at $1.5 million.)
Protecting Patient Information
Author: Paul Cerrato
Learn more about Protecting Patient Information from publisher Syngress
At checkout, use discount code PBTY25 for 25% off this and other Elsevier titles
The Department of Health and Human Services (HHS) provides more detail on how it calculates the fines, breaking them down into four categories. If HHS determines that you unknowingly allowed the data breach and had exercised reasonable diligence, the fine is still between $100 and $50,000 per violation. However, if the breach occurred due to a "reasonable cause," that range then jumps to $1,000 to $50,000 per violation. A third category, for a breach resulting from willful neglect that was corrected in a timely manner, will result in a fine of $10,000 - $50,000. And lastly, if your organization has willfully neglected to take precautions and did not correct the problem in a reasonable amount of time, the fine is at least $50,000 per violation, with a cap of $1.5 million per calendar year.
In addition to these broad criteria, numerous factors go into the HHS determination of how much to fine a healthcare provider, including how much harm results from the violation and the facility's history of prior compliance with the HIPAA regulation. And although the OCR is most interested in breaches of more than 500 patient records, the government will go after smaller incidents when they believe it serves the cause of justice, as mentioned above.
In 2009, for instance, Massachusetts General Hospital (MGH) agreed to pay $1,000,000 to settle a HIPAA violation that only affected 192 patients. The Office of Civil Rights had MGH sign a resolution agreement requiring it to "develop and implement a comprehensive set of policies and procedures to safeguard the privacy of its patients." The agreement resulted from an OCR investigation that started with a complaint filed by a patient whose PHI was exposed. Since the 192 patients affected by the breach were being treated by Mass General's Infectious Disease Associates outpatient practice, which included patients with HIV/AIDS, the exposure of patients' data not only threatened to expose them to the possibility of identity thief, but it also revealed their HIV status, clearly a very personal piece of information that most patients would want to keep confidential. And although the incident involved paper documents, the same judgment would likely have been made had this been an electronic breach.
A closer look at data breach fines
Although OCR has posted the data breaches of over 1000 healthcare providers on its web site, this is only a small percentage of the HIPAA complaints it has received over the years. A closer look at the statistics makes it clear that OCR is not "out to get you."
Since April 2003, it has received over 100,000 complaints. In more than 10,000 cases, its investigation concluded the entity in question had not violated the HIPAA rules. In more than 69,000 cases, OCR said the complaint was not "eligible" for enforcement for a variety of reasons, including the fact that some organizations are not covered by the HIPAA rules.
OCR investigated more than 23,000 cases that required changes in privacy and security practices by the provider, but most of these healthcare organizations never wound up among the 1,000+ that saw their "sins" posted on the Wall of Shame. And even fewer providers were actually fined for their violations, which begs the question: When do you get fined? A review of some of the violators who were penalized can assist executives as they review their security policies and practices.
Anchorage Community Mental Health Services (ACMHS) agreed to pay $150,000 for "potentially" violating HIPAA rule. The data breach, which affected more than 2700 individuals, occurred because, although the organization had put security rule policies in place in 2005, over time these policies were never actually implemented. Anchorage also allowed malware to compromise its records system. As the OCR report explained it: "The security incident was the direct result of ACMHS failing to identify and address basic risks, such as not regularly updating their IT resources with available patches and running outdated, unsupported software." In a bulletin released by OCR, director Jocelyn Samuels stated: "Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to electronic protected health information (ePHI) on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks."
Parkview Health System, a nonprofit healthcare system that provides community-based healthcare services to individuals in northeast Indiana and northwest Ohio, paid $800,000 for violating HIPAA rules. (Once again the official OCR report refers to this and most other breaches as "potential" violations of the HIPAA Act.) The violation occurred because Parkview did not properly handle patient records of about 5000 - 8000 patients. Parkview had taken custody of the records while helping a retiring physician transition her patients to new providers. Parkview employees left 71 cardboard boxes containing this sensitive material in the physician's driveway, unattended. As OCR pointed out, providers "must appropriately and reasonably safeguard all PHI in its possession, from the time it is acquired through its disposition… All too often we receive complaints of records being discarded or transferred in a manner that puts patient information at risk… It is imperative that HIPAA covered entities and their business associates protect patient information during its transfer and disposal." Notice that the bulletin describing this data breach also mentioned a healthcare provider's business associates. (HHS defines business associate as "a person or entity that performs certain functions or activities that involve the use or disclosure of PHI on behalf of, or provides services to, a covered entity.") Several violations have involved BAs, which we will discuss in a chapter 9: HIPAA, HITECH, and the Business Associate.
New York-Presbyterian Hospital (NYP) and Columbia University (CU) recently had to accept the largest fine yet to be levied against a healthcare organization. The two organizations, which work together as New York-Presbyterian Hospital/Columbia University Medical Center, were fined $4.8 million for exposing electronic PHI of 6800 individuals. The data included patient status, vital signs, medications, and lab results. The breach occurred because a physician employed by Columbia University had developed applications for both institutions and then attempted to deactivate a personally owned computer server on the network containing NYP electronic PHI. Because of a lack of technical safeguards, deactivation of the server resulted in patient information being accessible on Internet search engines.
The medical center was cited for several other infractions. OCR's investigation found that neither NYP nor CU made efforts prior to the breach to ensure that the server was secure and that it contained appropriate software protections. It had not conducted an accurate and thorough risk analysis to identify all systems that had access to NYP's ePHI, which meant it was not able to develop an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI from both institutions. Finally, OCR states in its bulletin that "NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management." .
Concentra Health Services was fined more than $1.7 million because one of its facilities, the Springfield Missouri Physical Therapy Center, had an unencrypted laptop stolen. What is interesting about this investigation was the fact that Concentra had done the required risk analysis before the incident occurred but did not follow through afterward. According to the OCR, "Concentra had previously recognized in multiple risk analyses that a lack of encryption on its laptops, desktop computers, medical equipment, tablets, and other devices containing ePHI was at critical risk. While steps were taken to begin encryption, Concentra's efforts were incomplete and inconsistent over time leaving patient PHI vulnerable throughout the organization."
Read an excerpt
Download the PDF of chapter 2 in full to learn more!
The data breach at Adult & Pediatric Dermatology, P.C., illustrates the impact data breach violations can have on small- to mid-sized medical practices. The group practice, with offices in Massachusetts and New Hampshire, was cited because an unencrypted thumb drive containing the ePHI of approximately 2200 individuals was stolen from the vehicle of one its staff members. The practice agreed to pay $150,000 for the violation. OCR faulted the practice because it had failed to do a risk assessment to detect vulnerabilities in its security system. In other words, it never really took the time needed to figure out just how much protection they were providing for their PHI. The group neither had written policies and procedures in place to instruct staff on how to manage PHI nor had they been training workers as required by HIPAA regulations.
The dermatology group agreement with HHS also necessitated that the practice implement a corrective action plan requiring it to develop a risk analysis and risk management plan to address and mitigate any security risks and vulnerabilities, as well as to provide an implementation report to OCR. Such agreements often require a provider to hire a third party such as a security firm to monitor its progress as it puts the new plan in place -- a rather expensive arrangement.
A review of other violations that resulted in fines reveals several security missteps made by various healthcare organizations. Among those mistakes are the following:
- Leaving backup tapes, optical disks, and laptops with unencrypted PHI unattended, which were then stolen (Seattle-based Providence Health & Services)
- Disposing of sensitive patient information in dumpsters that could be accessed by the public (CVS retail pharmacies)
- Disclosing ePHI to a third party that did not have administrative, technical, and physical safeguards in place. The third party was using the data for marketing purposes (Management Services Organization Washington, Inc.)
- Intentionally disclosing of PHI to a national media outlet (Shasta Regional Medical Center)
- Exposing patient data as a result of security weaknesses in an online application database (Wellpoint)
- Failing to erase PHI from the hard drives of several leased photocopiers before the machines were returned to a leasing agent (Affinity Health Plan)
- Moving PHI to a publicly accessible server (Skagit County government, Washington)
- Allowing unauthorized employees to view PHI
This last breach, which occurred in the UCLA Health System, resulted in an $865,500 fine because unauthorized employees were snooping into the patient records of celebrity patients who were being cared for at the UCLA facility. That HIPAA violation raises an important concern of many security specialists, who say the risk of internal hackers is worse than the threat coming from outsiders. The OCR bulletin describing the breaches states: "Employees must clearly understand that casual review for personal interest of patients' PHI is unacceptable and against the law."
A global look at all the OCR investigations offers some lessons learned that will help you concentrate on the most likely causes of a data breach. HHS lists the following issues as those most often investigated, in order of their frequency:
- Impermissible uses and disclosures of PHI
- Lack of safeguards of PHI
- Lack of patient access to their PHI
- Lack of administrative safeguards of electronic PHI
- Use or disclosure of more than the minimum necessary PHI
These breaches were most likely to occur in private practices, general hospitals, outpatient facilities, pharmacies, and health plans, in that order of frequency.
About the author:
Paul Cerrato has more than 30 years of experience working in healthcare and has written extensively on patient care, electronic health records, protected health information (PHI) security, practice management, and clinical decision support. He has served as Editor of InformationWeek Healthcare, Executive Editor of Contemporary OB/GYN, Senior Editor of RN Journal, and as contributing writer/editor for the Yale University School of Medicine, the American Academy of Pediatrics, Information Week, Medscape, Healthcare Finance News, IMedicalapps.com, and Medpage Today. The Healthcare Information and Management Systems Society (HIMSS) has listed Paul as one of the most influential columnists in healthcare IT.