In the endless conflict over the protection of PHI – Protected Health Information – the good guys appear to be losing more battles, but winning the overall war, at least for the moment.
According to a study released early this year by IT security auditing vendor Redspin, "large" (more than 500 records) breaches of PHI jumped 21.5 percent, 121 to 146, from 2011 to 2012. But, the total number of individual records compromised dropped 77 percent, from 10.6 million to 2.4 million, during the same period.
Dan Berger, president and CEO of Redspin, cautioned that this could be misleading — that it takes only one catastrophic breach to skew those numbers in the other direction. "While that looked like a trend earlier this year, it has been essentially negated by the Advocate Health breach of more than 4 million patient records as a result of the theft of a desktop computer this past July," he said.
That made the largest breach of 2012 – 780,000 records from the Utah Department of Health – look paltry by comparison.
There was yet another major breach on Oct. 12, when two password-protected laptops containing 729,000 patients' data were stolen from the administrative offices of AHMC Healthcare Inc. Still, the total remains well below the number of individual records breached in 2011.
And at least some experts say the downward trend could continue, or even accelerate, with the implementation last month of the latest update of the Health Insurance Portability and Accountability Act (HIPAA) Omnibus Rule.
The biggest change is that the update vastly expands the number of organizations directly responsible for compliance with HIPAA requirements, which also makes them liable for failure to secure PHI. Instead of those regulations applying only to health care providers, known as "covered entities," the list of responsible and liable parties now includes their Business Associates (BA) as well – dozens or even hundreds of vendors, contractors and consultants they hire – and even the subcontractors of those BAs, if they handle PHI.
Rachel Seeger, of the federal department of Health and Human Services (HHS) Office of Civil Rights (OCR), which enforces the HIPAA regulations, said BAs and subcontractors are now "directly liable" for compliance with certain HIPAA privacy and security rules, including:
- Impermissible uses and disclosures (including more than the minimum necessary)
- Failure to provide breach notification to the covered entity (such as a health care provider), or, if a subcontractor, to the BA
- Failure to provide an individual with electronic access to his or her PHI
- Failure to make internal practices, books, and records available to the HHS secretary to determine compliance with the HIPAA Rules
- Contractual liability for requirements of the business associate agreement
- Liability for actions of agent subcontractors
The penalties per violation range from $100 to $50,000, depending in part on whether the violation was caused by ignorance or willful neglect, with a maximum of $1.5 million per year for violations of a specific provision.
Berger said he thinks the new focus on BAs will yield substantial dividends. "Given that more than 50 percent of PHI breaches to date have involved a business associate in some way or another, we should expect great improvement," he said.
The HIPAA update requires custodians of PHI to make sure it is "unusable, unreadable and undecipherable" by any unauthorized parties, which Redspin also said it expected to curb the number of, and damage from, data breaches, since that would require encryption on all portable devices (a third of all large breaches to date were caused by the loss or theft of portable devices).
Security experts offer mixed opinions on how much those recommendations and the new Omnibus Rule will reduce breaches of PHI. Danny Lieberman, CTO of Software Associates, is dubious. "I think the Omnibus Rule has low-balled the amount of work that BAs and hospitals need to do to detect and prevent data loss," he said.
Lieberman noted language in the new rule that says BAs and subcontractors, "should already have in place security practices that either comply with the Security Rule, or that require only modest improvements to come into compliance..."
"There is no basis in the empirical data – considering the volume of data breaches – to make statements like that," he said. "The U.S. healthcare system is so complex, I don't see how making data breach a criminal offense will mitigate the attacks on PHI."
Martin Fisher, director of information security for Wellstar Health System, is more optimistic. While he does not think the number and breadth of breaches will decline immediately, "if enough traction happens, over time you'll see the number of breaches come down," he said, comparing it to improvements in standards for the Payment Card Industry (PCI). "That is a good template for what you are likely to see," he said.
Fisher said one of the best things about the update is that, "it provides a sense of finality to the rule. Operating under an interim rule always makes you question the investments you are going to make — will the BlinkyLight you're buying meet the final requirement? That sense of certainty is a very good thing."
There is also some doubt that encryption will provide bulletproof protection to PHI. The mantra in the security for years has been, "encryption is not enough." Berger argues it is, "one heck of a way to start," he said. "More than 50 percent of the breaches to date would not even have qualified as reportable breaches if the devices had been encrypted. Ultimately, security is about reducing risk," he said.
Cam Roberson, director of the Reseller Channel at Beachhead Solutions, agrees that encryption provides some protection, but only some. "Encryption protects data if the power is off and the password is unknown or can't be learned or hacked," he said. "However, encryption cannot protect the data if a device is stolen with the power on and the computer is authenticated or if the password is somehow compromised."
While the update does not address it directly, there are also risks from BYOD (Bring Your Own Device) in a world increasingly dominated by smartphones and tablets. Bob Russo, general manager of PCI SSC (Payment Card Industry Security Standards Council), said recently that mobile devices for the consumer market do not meet PCI DSS (Data Security Standard) compliance requirements.
But most experts agree with Fisher, who said attempting to ban them in health care organizations would be "idiotic. Very few things will function as an enabler of improving patient experience and safety than well deployed mobile technologies. It is the way things are going. Fighting that is like fighting a rising tide," he said, adding that it is possible to comply with HIPAA standards through Mobile Device Management (MDM) technologies and applications.
Still, all agree that the human element, both from innocent mistakes and malicious intent, can trump policy and technology.
Lieberman agrees that encryption has some value, but said, "because it's so easy to attack endpoints – think people, default passwords, Windows vulnerabilities and USB – encryption is good for transporting data but as long as you have endpoints you will have data breaches."
And he doesn't believe "security awareness" training is an effective countermeasure. Those who do believe in it, he said, should let employees know they will be held accountable. "Make sure you fire people immediately if they break your data governance policy," he said. "If you don't have one, write one today and work top down from the CEO to line managers making sure everyone knows what data governance means — the policy should be a half page and should finish with, 'You get fired if you break it.'"
Lieberman said the major risk of a data breach due to loss or theft is not employee carelessness. "It is a behavior issue but it's mostly a criminal issue," he said, "and that is not mitigated by training. When there is a financial incentive to steal data and you have an insider or partner with access, then you have motivation and means and all you need is opportunity to have a crime."
Fisher is also dubious that training employees in security consciousness will curb breaches. "We need to 'build security in,' and make the secure way of doing business the way the business people will use by default. I'm not saying effective awareness training has no value but putting too much reliance on it is not a winning strategy," he said.
Roberson agrees. "Productivity trumps security," he said. "Consider the salesperson in the field who has a better chance of closing business if they have immediate access to important data. Think he or she wouldn't do it? The likely thought process would be that, 'Closing business is in the best interest of my firm, and a security breach will never happen to me.'"