There’s a storm brewing in the healthcare security and privacy arena that will stretch the resources of even the most nimble healthcare provider organizations, as they face challenges on multiple fronts. On the policy side, providers will face steeper fines for breaches, backed up with tighter enforcement. Meanwhile, rapidly evolving medical devices, coupled with the emergence of mobile devices in the workplace, are requiring that providers reevaluate their security policies. At the same time, new care delivery and communication models, such as accountable care organizations (ACOs) and health information exchanges (HIEs), are remaking the healthcare delivery landscape—and the security and privacy policies that go with it.
As if this was not enough, these developments have been taking place at a time when data breaches at healthcare provider organizations are on the rise. In 2013, medical identity theft was up 20 percent compared to the year before, according to a report released last September by the Traverse City, Mich.-based Ponemon Institute. Malicious attacks have increased in number as well as the level of sophistication, say experts.
Meeting security challenges and protecting patient data will require extra vigilance, as well as rethinking how technology and policy decisions can help minimize those risks, according to security professionals interviewed.
Compliance Issues Come To The Fore
Compliance in general is going to a big issue across the board for all CIOs, according to Micky Tripathi, founding president and CEO of the Massachusetts eHealth Collaborative (MAeHC), Waltham, Mass., who has also named co-chair of the Office of the National Coordinator Tiger Team, a workgroup on privacy and security issues. He notes that the Health Information Portability and Accountability Act (HIPAA) Omnibus Rule has raised the penalties for breaches significantly—to as much as $1.5 million per incident.
Tripathi expects to see more compliance audits from the Department of Health and Human Services’ Office of Civil Rights (OCR). “Starting with the passage of HIPAA Omnibus, they have upped their diligence around these audits, because the realize that with these electronic systems, there is a different type of exposure they need to be on top of; and as these rules are getting more stringent, they need to do more audits,” he says.
Mac McMillan, co-chair of the HIMSS Policy and Security Policy Task Force and CEO of Austin, Texas-based CynergisTek, Inc., agrees, noting that the heightened HIPAA requirements have strengthened the bond between covered entities and their business associates. Formally, business associate agreements are required; but informally, the risk is much higher, because of business associates have a breach, they are going to be investigated, he says. If a provider’s vendor experiences a breach, the covered entity must make all of the notifications to the affected parties and media; and when a vendor is investigated, the OCR is going to want to know how the relationship is defined and managed by the covered entity. The upshot: “You can’t just give the vendor a business associate agreement and say, ‘I’m done.’ You have to have more visibility into what they are doing and whether they can meet their obligations,” he says.
In addition to all of this, the rapidly increasing level of consolidation and affiliations taking place in healthcare today, as the result of trends such as accountable care and HIE, is putting extra security demands on organizations. This has raised significant technology challenges, according to Tripathi. In some cases, hospital systems try to wipe the slate clean of disparate systems and put everyone on the same network with a single set of technology controls around security and uniform policies around them, he says. Most often, the result of such efforts is a hodgepodge of different acquired platforms, raising the challenge of enforcing uniform security across disparate systems.
In fact, consolidation and acquisitions raise a host of issues around the need to control access to patient records for physicians from affiliated organizations—a challenge that becomes especially acute in the ambulatory world, with organizations that are setting up private HIEs. “Ambulatory tends to be a whole different world,” Tripathi says. “How do you bring all of those users under the same security and policy umbrella, where they have a different system and they have been operating under less formal policies? Now they are part of a bigger enterprise, and you have to extend your policies out to make sure the diligence is applied to the smaller practices under your umbrella.”
Tripathi offers this advice to organizations: first, consider the nature of the affiliations involved, and the nature of the information that is going to be exchanged to support the clinical and business models that are being put in place. If the nature of the relationship is limited—such as jointly sharing some specialists who will work part time at each hospital—it may be possible to enable technology to support only that limited type of integration, which will limit the risk of the organizations involved, he says. Second, take a look at the orchestration of technology and policy controls. In some cases, technology can implement the policy—for example, allowing physicians to see only the patients with whom they have a care relationship, by locking down areas of the electronic health record. Policy controls should be strengthened where technology can’t be used as an enforcement mechanism, he says.
Keeping Technology Current