Costs Can Mount Quickly With Health Data Breach6
- HHS potential fine: up to $1.5 million per incident
- Patient notification: Approximately $4 per patient
- Possible credit monitoring services: $10 per affected patients
- Potential class action lawsuit: $250,000 - $500,000
Serious health data breaches continue to pile up, despite the best efforts of healthcare organizations nationwide. In July, UCLA Health reported cybercriminals had accessed networks containing confidential data on 4.5 million people.1 Hackers earlier this year broke into as many as 80 million customer records at Anthem Inc.2 And smaller but no less dangerous breaches are impacting providers and payers seemingly on a monthly basis.
How widespread is the problem? A recent survey found that two-thirds of healthcare organizations have experienced a “significant” data security incident within the past year. The survey was conducted by the Healthcare Information and Management Systems Society (HIMSS) and also revealed that 42% of respondents believe there are too many emerging and new threats to track.3
Another report by Experian calls the risk of healthcare data breaches “persistent and growing” and projects the costs of unauthorized access will reach $5.6 billion in 2015.4 The Department of Health and Human Services (HHS) estimates data breaches have affected 37 million people, or one in 10 Americans, since 2009.5
“The impact of a breach can be significant not only for the individual patients affected, but for the provider as well,” said Joe Lineberry, compliance officer, McKesson Business Performance Services (McKesson). “That’s why it’s essential that security remains a constant and ever-present priority for all provider organizations. The stakes are too high to do otherwise.”
Seven steps to better security
The Office of the National Coordinator for Health Information Technology (ONC) recently produced an updated guidebook designed to help small to medium-sized provider organizations and other health professionals comply with federal privacy and security regulations. The publication, entitled Guide to Privacy and Security of Electronic Health Information (PDF, 1.26 MB), provides practical tips and information for strengthening security.
These include a detailed, seven-step approach for implementing an effective security management program. The guidebook also addresses the security-related requirements of Meaningful Use for the Medicare and Medicaid Electronic Health Record Incentive programs.
Highlights of the ONC’s seven steps include:
1. Lead Your Culture, Select Your Team, and Learn
- Designate a security officer or officers.
- Discuss HIPAA security requirements with your EHR vendor/developer.
- Consider using a qualified professional to assist with your security risk analysis.
- Use tools to preview your security risk analysis.
- Refresh your knowledge of HIPAA rules.
- Promote a culture of protecting patient privacy and securing patient information.
2. Document your Process, Findings and Actions
Documentation of risk analysis and Health Insurance Portability and Accountability Act (HIPAA)-related policies, procedures, reports and activities is a requirement under the HIPAA Security Rule. Also, the Centers for Medicare and Medicaid Services (CMS) advises all providers who attest for electronic health records (EHR) incentive programs to retain all relevant records that support attestation.
Examples of records to retain include:
- Policies and procedures
- Completed security checklists
- Training materials
- Updated business associate agreements
- Security risk analysis report
- EHR audit logs showing both utilization of security features and efforts to monitor users’ actions
- Risk management action plan
- Security incident and breach information
3. Perform Security Risk Analysis
The risk analysis process assesses potential threats and vulnerabilities surrounding the confidentiality and integrity of electronic protected health information. Findings from this analysis will help drive your risk mitigation strategy.
A comprehensive analysis involves two primary steps:
- Understand where electronic health information exists in your practice and how it is created, received, maintained and transmitted.
- Identify potential threats and vulnerabilities, including human threats, such as cyber-attack, theft or workforce error; natural threats, such as earthquakes, flood, tornadoes and fire; and environmental threats, such as power loss. Vulnerabilities are flaws or weaknesses that, if exploited by a threat, could result in a security incident.
4. Develop an Action Plan
Using the results of the risk analysis, discuss and develop an action plan to mitigate identified risks. The action plan should focus on high-priority threats and vulnerabilities. It is important that your security plan be feasible and affordable for your practice. Take advantage of the flexibility that the HIPAA Security rule provides.
The plan should contain the following five components:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational standards
- Policies and procedures
5. Manage and Mitigate Risks
Following the action plan involves four parts:
- Implement the plan with the appropriate safeguards.
- Prevent breaches by educating and training your workforce, including employees, volunteers, trainees and contractors. Training should include roles and responsibilities, existing policies and procedures, including those to follow in the event of a breach.
- Communicate with patients. Inform them that you place a priority on maintaining the security and confidentiality of health information. Address patients’ individual health information rights, including the right to access or obtain a copy of their records. Educate them about how their information is used and shared. Notify affected patients and caregivers when a breach of health information occurs in accordance with your policies and procedures.
- Update your business associate contracts to ensure that partners fully comply with relevant safeguards, train their workers and adhere to requirements surrounding patient rights and breach notification.
6. Attest to the Meaningful Use Security-Related Objective
The EHR incentive programs provide incentive payments to eligible providers able to demonstrate adoption, implementation, upgrading and meaningful use of electronic health information. Attesting entails meeting the Meaningful Use requirements for the reporting period. These include conducting a security risk analysis and correcting and documenting any identified deficiencies.
7. Monitor, Audit and Update Security on an Ongoing Basis
Have your security officer, IT administrator and EHR developer work together to help make sure that your system’s monitoring/audit functions are active and configured to your needs.
Key determinations could include:
- Deciding whether to conduct audits in-house, use an information security consultant or some combination of the two.
- What to audit and how the audit process will occur.
- Identifying trigger indicators or signs that protected health information may have been compromised and further investigation is required.
- Establishing a schedule for routine audits and guidelines for random audits.
Audit capabilities also require that providers have the ability to maintain an audit log that documents who, what, when, where and how a patients’ protected health information has been accessed.
Lineberry said that organizations shouldn’t feel overwhelmed by the task of developing, implementing and maintaining a robust security capability.
“It’s an iterative, ongoing process, but the most important single element is vigilance,” he said. “You just have to stay after it. Complacency and inaction are the greatest danger.”