Patient data lost while in the hands of a business associate becomes "extraordinarily" difficult to track, says one expert, who identified data-centric protection as a way to safeguard information like that recently exposed at Stanford Hospital and Clinics.
The New York Times is reporting that the Stanford breach involved the medical records of 20,000 emergency patients, containing information such as names, diagnosis codes, account numbers, admission and discharge dates and billing charges for patients seen during a six-month period in 2009.
The sensitive information was residing on a website called “Student of Fortune” for almost a year before it was discovered by a patient. Hospital officials are unsure how this data, in the form of a spreadsheet, got on the site, as it was in the care of its billing contractor – identified as Multi-Specialty Collection Services, according to the New York Times.
When sensitive data like this is shared with a business associate, a provider is “essentially buying their capacity to protect that information,” says Geoff Webb, director of product marketing at Credant Technologies in Addison, Texas.
Webb says he would expect that if the billing company was handling this type of sensitive data it would have technical controls in place such as real-time monitoring capabilities, data loss prevention, encryption and post breach analysis and monitoring.
But when data is taken outside an organization’s network, he says it's critical that there's data-centric protection as well, which would serve to protect the data even if an employee moved it around.
Webb says healthcare organizations need to “nail” these data control issues now – especially as cloud adoption becomes more prevalent. Indeed, these breaches will look modest compared to what could happen in the future, given the amount of data that can be stored in the cloud, he warns.
Healthcare IT security expert, Mac McMillan, CEO of Austin, Texas.-based CynergisTek and chairman of the HIMSS Privacy and Steering Committee, sees the breach as just one more incident that proves HIPAA is lacking.
"This is yet another example of a failure to protect patient privacy due to a lack of due diligence in vetting venders as a result of an inadequate standard. If you look at the federal sector or the banking sector you'll see very detailed requirements for establishing the trustworthiness of venders. HIPAA just falls short," he says.
"Hopefully the revised rule will address some of these short comings to include clarifying the responsibility of covered entities, busienss associates and sub-contractors for knowing who they are sharing patient information with and how they should do that. Simple business associate agreements are not enough," McMillan says.
