How High Will We Go?

images-4
Image credit: healthitoutcomes.com

Last year Ponemon reported information security incidents cost the healthcare industry more than $6.2 billion. I expect this year that number will continue to increase.

One reason is the number two cost vector cited in the report was ransomware. Ransomware incidents are not on the decline. TrendMicro reported in August that just the first half of 2016 had seen a 172% percent increase in ransomware incidents over all of 2015 combined.

Another reason is the importance of information availability in the clinical environment. Where other industries may sardonically quip, “it’s not a matter of life and death,” in healthcare, it quite literally is. As an analyst at ESET put it, “Criminals know this and are deliberately targeting medical organizations.”

Collectively, those of us in the information security field hold a special trust and confidence with those who share personal health information. We need to do a better job of controlling risks to that information, and advocating to those who may not completely understand risk but approve budgets, the need to allocate resources.

Advertisements

A Dumpster Full of Treasure

Hackers didn’t do it.  Cyber activists didn’t do it.  There was no identity theft ring to hold responsible.  What happened was the wrong boxes were picked up and thrown in a dumpster.  So, 94,000 letters had to be mailed to patients to inform them that their names, medical record numbers, payment methods, lab results, and in some cases, Social Security numbers or driver’s license numbers were unwittingly disclosed.  But at least there was no breach of the database, no penetration of the firewall, so that’s good news, right?

Wrong.  Technology did not fail in this case, people did.  And there are two reasons why this is bad news.

First, penalties.  There are a lot of requirements in HIPAA, but they boil down to the Security Rule and the Privacy Rule.  Now, the Security Rule deals exclusively with electronic health records, so it doesn’t apply here.  The other half of HIPAA, the Privacy Rule, which can be summarized as, “Don’t share personal health information unless there’s a need to know,” definitely applies.  Here there was failure.  As of this writing, there has been no announcement of any penalties coming from the Office of Civil Rights (the Health and Human Services enforcement division), but we know that penalties can be as high as $1.5 million total for a given year.  That’s the cap, which if the OCR decides penalties are in order, could be a real savings for the hospital, because the minimum penalty is $100 per record per incident, or around $9,400,000!  No doubt that will hurt financially, and that is bad not only for the hospital, but the community they serve.

Second, the public trust is damaged.  It’s hard to quantify what the public trust is worth.  There are some studies on consumer trust in other markets, but when it comes to the trust between patient and doctor, that may be worlds apart.  Lab results, even ordering certain types of lab work, offers a raw glimpse into the most confidential of health information: HIV status, drug use, pregnancy, genetic conditions, etc.  Patients may think, “better go to another hospital in town if I want it to remain between me and my doctor.”  This really hurts the entire medical field as the sterling trustworthiness of doctors and the staff of the hospitals is tarnished.

In addition to what this hospital is doing, what lessons can the rest of us learn from this incident?  As I said at the beginning, this was human error, not a technical failing   Here are some best practices to consider, given what we know, to establish a sound information security management system:

  • Assign an owner, someone who is personally responsible for the records – nothing tends to focus someone’s attention and make them truly advocate for the protection of patient information as knowing their job is on the line.
  • Label all sensitive information – whether a cover sheet, a folder, or brightly colored labels on banker’s boxes, anything confidential should be recognizable from the outside.
  • Establish a retention policy – the longer information is retained, on paper or electronically, the more likely something may happen with it; a retention policy should be attuned to the least time possible before records are destroyed.
  • Physically secure records locations – data centers or records closets, only those who are prescreened and approved as having a business requirement should have access.
  • Shred all paper records on-site – the need to remove paper to shred it at a distant location has long passed, so the option to make sure a staff member witnesses the shredding and collects the receipt is nearly universal.
  • When projects are planned, make sure information security is a part of the plan – as the axiom goes, failing to plan is planning to fail. All projects should include information security risks assessment in the planning and execution phases, along with consideration of cost, safety, etc.  This is the new norm in project management.

Anyone who handles personal health information should take this opportunity to assess their own controls and make improvements where needed.