Chief information officers, chief privacy officers, chief compliance officers and all those assorted other assorted C-level titles charged with locking down health information security have a lot on their plates nowadays. Now they’ve got something else to think about.
The long-awaited omnibus HIPAA Privacy and Security final rule, finally published by the Department of Health and Human Services in January, has shifted the prism through which the protection of patient health information must be viewed.
The new rule expands patients’ rights with regard to their own health information, broadens the responsibilities of business associates, increases the penalties for compliance failures, bolsters HITECH breach notification requirements – and generally makes more work for put-upon technology and privacy officers.
Lisa Gallagher, senior director of privacy and security at HIMSS says there are some areas of the rule that bear watching – especially when it comes to the responsibilities borne by providers when it comes to breach notification.
Initially, the notion was that the covered entity, when they discovered a breach, “should do an assessment of what they thought the potential impact would be, what the potential harm would be to the patient, and if they thought the potential harm was low, then they didn’t have to notify them at all,” says Gallagher.
“During the comment period, there was a lot of discussion about that. Privacy advocates were not in favor,” she adds. “It didn’t seem right to put the organization that had the breach in the position to determine what the harm would be to the patient. They were in favor of notification in all cases.”
In the end, HHS “came up with something different, which they viewed as less subjective than the harm provision, and more germane to the problem, which is a breach,” says Gallagher. “What they said is that the organization needs to do a risk assessment to determine the probability that data was actually compromised. If it was a fairly reasonable probability that it was, then they should notify; if it was a low probability, they could choose not to.”
That’s a gray area, that is “something that the industry will be talking about for a while, and we’re going to have to figure out how to implement,” says Gallagher.
In December, HIMSS released the findings of its fifth annual security survey. The findings were a mixed bag: definite progress in some respects, but the undeniable sense that the industry as a whole is still painfully vulnerable.
Among its findings: Just 43 percent of respondents said their organization has tested its data breach response plan; two-thirds said they’ve audited their IT security plans; respondents graded their security environment an average score of 4.64 (on a scale of 1 to 7, least to most secure); security budgets are still not as robust as they should be, with more than half of organizations earmarking just 3 percent or less of their overall IT budget on locking down patient data.
Reported cases of medical identity theft in the past five years have decreased, from 20 percent in 2008 to 11 percent in 2012, according to the HIMSS Security Survey, but still one-quarter of organizations said they had sustained a security breach in the past year.
“The numbers are on a positive slope,” says Gallagher. “There are more hospitals and practices doing risk assessments than there have been over the past few years.”
Still, “to ask me whether that slope is satisfactory is a difficult question.”
And how the new omnibus HIPAA rule will play into the changing landscape remains to be seen. The stakes are high: Speaking at the Healthcare IT News/HIMSS Media Privacy & Security Forum in December, Leon Rodriguez, director of HHS’ Office for Civil Rights promised that, “We have moved into an area of more assertive enforcement,” and there will be “more monetary settlements.”
“I’ve always thought that the risk-based approach to the security rule is right,” says Gallagher. “And there is plenty of buy-in behind doing a security risk assessment. I continue to believe it’s the right approach. So does HHS. That’s what they said they wanted to see in the meaningful use attestation. They’ve been consistent.”
In the final rule, “They’re doing that again. They’re saying ‘Do a risk assessment.’ And I think it’s the right approach. There is a discipline behind this, and it is a known process.”
Still, she says, “That doesn’t mean that a healthcare organization reading the rule today will know how to do that. They can learn how to do that, and I do think it is less subjective in that sense. Because we can develop a process to help get them where they need to be. At HIMSS, that’s what we do. We have so many tools and resources.
Confusion still plagues some providers. And budgets are tight. But at least there’s an awareness of what’s at stake, and what has to be done, that wasn’t there in years past, says Gallagher.
“You have to know what your challenges are,” she says. “You have to be right on top of them, because they can easily pass you by. I almost think that’s what happened with mobile technology. (See sidebar, page 60.) We’re focusing on EHRs, and enterprise IT infrastructure, and here comes this other technology and all of a sudden it’s on our network. We need to be smart, and understand the technology evolution, the innovation we’re seeing, and how it can potentially impact us.”
Gallagher says she’s hopeful that when HIMSS conducts its survey again next year, “we’ll see a significant increase” in privacy and security protections.
After all, “This is not optional,” she says. “Vulnerabilities will be exploited. Whether it is malicious, or some employee doing something they shouldn’t, it doesn’t matter. Patient data will be compromised.”
Doing what’s right by patients – and the law – is “not that easy,” says Gallagher. “But organizations have to do this. It’s just the way it is.”
Mobile Madness
I always hated this time of year," one former hospital CIO told me with a laugh in early January. "Physicians would walk in and say, 'I got this for Christmas! I want to use this!'"
He was referring to BlackBerries, iPhones, and all those other mobile devices that have been giving IT and security officers fits as they try to keep docs happy while keeping data secure.
Bring your own device (BYOD) policies have quickly become common in healthcare settings nationwide, even if their exact prescriptions remain thorny.
"Six months or a year ago, we were talking about [BYOD] in terms of a challenge as far as making a decision whether to allow it," says Gallagher. "Now it's already being allowed. And we have organizations who need to catch up with regard to policies and procedures for management of those devices."
With these devices so convenient and so well loved, it's hard to argue against their place in the clinical setting. But they make for massively multiplied risk.
Many hospitals and practices are letting physicians "connect to the network, without having any control over it," says Gallagher.
In more and more cases, the security situation has become "urgent," she says. "It's much more important that they put policies in place, educate their users, understand which devices they're allowing them to connect, have them sign agreements showing that they understand the parameters of their use on the network and monitor it."
Providers "have to understand the seriousness of the risks they've introduced to their network, and manage them," says Gallagher.
If the will or the resources to manage these policies properly aren't there, that might mean rescinding them. That might make some physicians unhappy. But that's the price to pay for safeguarding patients' security.
"If [providers] have already introduced BYOD without any management of it, and they've determined they do not have the resources to manage it, they should not allow it," says Gallagher. "They should allow only those devices that are provided and managed by the organization. That's just a purely common-sense, risk-based recommendation."
Her advice? "I would say do a security risk assessment of their entire infrastructure that includes the personally-owned devices that are connected to it. And do it immediately. That means going down to the level of detail of who has what device and how those devices are configured and what data those devices are able to access."
She points out that HHS has shown that 40 percent of the breaches come from lost or stolen devices. And "that's only the ones that are lost and stolen, not even the ones that are being used inappropriately.
"It's a big problem," says Gallagher. "It can't be ignored." n
- MM
