The stakes for healthcare security have never been higher, yet healthcare organizations and EHR companies struggle to maintain compliance with an ever-increasing number of requirements and regulations — like the upcoming third stage of Meaningful Use.
Healthcare Facilities Under Attack
Since 2009, healthcare organizations have lost nearly $32 billion from 1,286 reported HIPAA-related security breaches and their associated expenses, according to research from Privacy Analytics, a healthcare security solutions vendor.
Of those reported breaches, 868 — or over two-thirds — were the fault of the healthcare provider. According to a recent study from KPMG, 80 percent of facilities or health plans suffered a cyber-attack during 2013–2015. Executives cite the following as their top vulnerability concerns:
- Malicious external attacks/hackers: 65 percent
- Improperly sharing protected health information with third parties: 48 percent
- Employee-related threats: 35 percent
- Wireless computing: 35 percent
- Inadequate firewalls: 27 percent
Unfortunately, at many healthcare facilities and clinics, security is often full of holes beyond the physical building. Remember, this is the industry that panicked in 2014 when Microsoft announced they were discontinuing support for Windows XP — which was released in 2001.
So what are the odds your doctor’s office has a firewall or even basic endpoint security?
Healthcare facilities aren’t usually adopting the latest and greatest anything, unless it’s a profit center. For many healthcare organizations, IT is mostly an afterthought (at best) or a challenge to be overcome (at worst). And security is the uniformed person that patrols the premises after dark.
“Hospitals have low security, so it’s relatively easy… to get a large amount of personal data for medical fraud,” notes healthcare security expert Dave Kennedy, CEO of information security consulting firm TrustedSEC. Once acquired, data such as names, birth dates, policy numbers, etc., helps criminals create fake identification for purchasing drugs, filing claims for fake visits, and other nefarious purposes.
Of course, it’s not just external security threats that trouble healthcare organizations, sometimes internal mishandling of data can be just as costly. With seemingly innumerable threats bearing down from all directions, an increased focus on technical and administrative security should be a priority for every healthcare organization.
The Trouble with Dynamic Regulations
Improving security has been a major focus for many organizations, but what is secure? Defining it has been a never-ending process, especially because every new piece of healthcare legislation institutes yet another security mandate. To further muddy the waters, providers are required to report on various initiatives, many with overlapping or conflicting requirements — HIPAA and Meaningful Use are perfect examples.
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was the first real attempt to define Protected Health Information (PHI) and how it should be regulated. Title II (the relevant portion of the legislation), provided for the creation of various rules: the Privacy Rule, Transactions and Code Sets Rule, Unique Identifiers Rule, Enforcement Rule, and — most important to this discussion — the Security Rule.
As you’re no doubt aware, the Rules require a host of security-related measures, but they also mandate that PHI be made easily available to patients, law enforcement (in certain cases, such as suspected child abuse), or to facilitate treatment or payment for a health condition. The rules are full of undefined language such as “must take reasonable steps” or “business associates.” Because of the wording, it can be difficult for providers and other covered entities to ensure they’re always in compliance — which bears a striking resemblance to complaints some have had about the Meaningful Use program.
The Health Information Technology for Economic and Clinical Health (HITECH) Act, enacted as part of the American Recovery and Reinvestment Act (ARRA) of 2009, proposed the meaningful use of interoperable electronic health records (EHRs) across the United States healthcare system as an essential national goal. To that end, the HITECH provided for incentives — and penalties — to be designed and awarded by the Centers for Medicare and Medicaid Services (CMS) and the newly-created Office of the National Coordinator for Health IT (ONC-HIT). The legislation outlined five areas of focus:
- Improve the quality, safety, and efficiency of care
- Improve engagement with patients and families
- Improve care coordination
- Improve population and public health
- Improve privacy protections and the security of personal health information
From these relatively amorphous goals came the various stages, clinical objectives, and quality measures that make up the Meaningful Use Incentive Program. While the goals are laudable, the implementation hasn’t been without complaint.
Why Providers Are Frustrated
Perhaps the most frustrating aspect of healthcare security for many is: It’s a moving target.
Beginning with HIPAA and continuing with nearly every other piece of healthcare-related legislation, bureaucrats and lawmakers seem incapable of making up their minds — though to be fair, much of this waffling is the fault of various stakeholder organizations lobbying for changes, exclusions, and/or delays to healthcare initiatives.
Security requirements were essentially left out of the first stage of Meaningful Use — it wasn’t until Stage 2 that ONC-HIT decided what a “Base EHR” was, finally including security certification criteria and defined standards. However, since ONC-HIT didn’t require that any EHR applications or modules meet those standards, eligible providers and healthcare facilities had to determine — for themselves — whether or not the systems they were considering adopting (or already using) actually met the “Base EHR” definition and therefore were in compliance.
Thankfully, the now-finalized third stage has outlined security requirements on a module-by-module basis. This means that if an EHR vendor achieves certification under Stage 3’s ‘2015 Edition,’ providers can rest assured that their software is in compliance.
However, even with clearly defined security requirements, organizations will still need to worry about penalties.
Robert Tennant is the health information technology policy director at Medical Group Management Association (MGMA). In an exclusive interview with Physicians Practice, he revealed that many organizations are being penalized during Meaningful Use audits because they’ve neglected to conduct required security and risk analyses.
This boggles the mind, as conducting these analyses requires little more than a checklist — or ONC-HIT’s handy-dandy, free downloadable tool — and a pen.
The good news?
Stage 3 should help organizations solidify their security — at least on paper. Unfortunately, it won’t solve the most pressing issues — like the ones at the top of this page. Furthermore, as more information is exchanged via APIs or HIEs, there’s increased opportunity for a breach — and Stage 3 proposes to greatly increase the electronic flow of information between patients and providers. Organizations can ill afford to neglect security for much longer.
Author Bio
Charles Settles is a product analyst at TechnologyAdvice. He covers topics related to marketing automation, healthcare IT, human resources, and project management. Connect with him on LinkedIn