PHI security demands leave life coach feeling doomed

Thriveworks CEO says technology hasn't kept pace with laws demanding eternal security of digital data.

Nothing like a little morbid humor from a life coach.

But given the difficulty of securing Personal Health Information (PHI) in the digital age, Anthony Centore, founder of the Virginia-based counseling and life-coaching firm Thriveworks, sounds like he could use a little counseling himself.

On the Thriveworks website, he has posted a lament titled, "Counselors are Doomed: Client Privacy and PHI in the Electronic Age," with a depressingly familiar list of reasons why those charged with protecting the personal information of their clients are in an almost impossible situation.

His list -- with each item beginning with, "We are doomed because &" -- is familiar to those in the data security business:

  • It is impossible to guarantee 100 percent security for digital data. Yet that is the demand placed on health care professionals by federal laws like HIPAA and HITECH;
  • Data breaches are on the rise, with some of the most famous corporations in the nation, including Sony, Tricare, Nasdaq and even Google unable to block them. Most healthcare firms, and there are thousands of smaller ones with only one to five clinicians, don't have the resources or tools to counter the sophistication of today's hackers;
  • The smallest of human errors -- something like confirming an appointment with a client via email that is not encrypted, amounts to a HIPAA violation and could lead to a stolen identity;
  • Passwords, even those that comply with the industry standard of nine characters including an upper-case letter and a number, can be hacked with relative ease with the use of brute-force techniques for which more than six quadrillion possibilities are no major obstacle;
  • There are social penalties for an attack that leads to a breach. Not only does a firm have to notify affected clients, but it gets added to a "hall of shame" by the federal Department of Health and Human Services;
  • Financial penalties can crush a company. Even in cases where individuals did not know, and even with reasonable diligence, would not have known that they were violating HIPAA regulations. They are liable for up to $50,000 per violation.

In an interview, Centore says the "doomed" mantra is a bit tongue-in-cheek, but the rest of it is serious. He believes the laws have outpaced the technology. "There is no reasonable technology that can keep your data completely safe," he says, "but the penalties are still there for violations, and they are really strict penalties."

Centore says Thriveworks, with headquarters in Virginia and practices in Boston and Philadelphia, also serves "several hundred small practices around the country." He says he spends tens of thousands of dollars to comply with HIPAA and other regulations.

"We will defend our data in every area we can," he says. "We have somebody assigned to comply with HIPAA. Our staff is trained and re-trained in how to handle case notes and on doing everything we can do to make sure information is sacrosanct."

But, he says, "smaller practices can't spend what we spend."

Robert Siciliano, McAfee consultant and identity theft expert, says it is important to emphasize that, "numerous industry studies by researchers like Javelin and in reports by Verizon, McAfee and others notes that most data breaches occur as a result of inaction, lack of policy, procedure, systems in place and an overall lack of awareness.

Centore says he knows human error is the greatest risk factor in breaches and that, "little mistakes can have a big impact."

Siciliano adds that many security experts argue that "spreading doom-and-gloom scenarios just perpetuates fear, uncertainty and doubt" -- concepts so pervasive that they have their own acronym: FUD.

But, he says, "the reality is that fear does promote awareness, which in turn facilitates actionable security. There is something to be said for reviewing the fundamentals of effective security policy and procedure."

And despite his "doomed" theme, Centore does not advise giving up. He offers the standard but critical list of security tips: Make your passwords more complicated, don't use the same one for multiple accounts and never store them on your computer; Don't leave case files in your car; Update your computer's operating system and other protection.

He adds another specific to health providers: Don't store client records any longer than required.

Copyright © 2012 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline