Healthcare organizations will spend more money on IT security in 2018 than ever before. But the statistics suggest these cybersecurity warriors may be taking one step forward and two steps back.
Comparing U.S. Department of Health and Human Services HIPAA violation data for calendar year 2017 versus unofficial tallies year to date, it would appear that the industry is making progress. Violations are down from 477 in 2017 to just 180 in the first half of this year.
But the numbers behind the numbers are alarming.
5.6M patient records were exposed a year ago. 3.5M have been breached through June of this year, a pro-rated increase of 20%. While hacking and phishing attacks continue to grab the headlines (Ministry of Health in Singapore-1.5M records, UnityPoint Health-1.4M records), insider causes (e.g. unauthorized access/disclosure) are rising at an alarming rate.
Terry Grogan performs HIPAA compliance audits for health systems and medical practices across the country and says while security awareness is up, staff education is still lagging behind.
Q: What do the 2017-2018 numbers tell you at first glance?
Terry: To be honest, I’m not surprised. The reason that people are seeing an increase in what’s being taken, and a decrease in the number of actual attacks is because of the increase in the number of organized companies that are training people to conduct targeted attacks. Today, for example, I had a hacker posing as the COO asking for specific information, targeting specific people within the health system. The methods are getting more sophisticated and more brazen.
Q: Should a health system be any more worried of severe monetary penalties today?
Terry: If an organization has assessed their risk environment and then employs reasonable controls, reasonable security, reasonable training, and takes reasonable actions when employees are negligent or doing something they shouldn’t be doing, that company is unlikely to be fined or the fine should be limited.
Q: What do you see as the most common violations when you conduct an audit?
Terry: Lack of written policies, and lack of written standards are by far the largest. Even smaller healthcare clients, especially clinical practices, immediately jump to the conclusion that to be “HIPAA compliant” they have to put a boatload of technology into place. While technology will help when it is the appropriate technology, if they don’t have good processes, and good policies, and they don’t train people… that will get them into far more trouble. There is still a certain amount of risk that needs to be mitigated by policy and training and those are always the things that are lacking.
Q: The security challenges are the most difficult when dealing with a health system and thousands of employees. What about small medical practices? Should they be as concerned?
Terry: Absolutely! In fact, they often have to be a little more concerned because when a practice is that small the training isn’t often as formalized, it tends to be on the job training that may not necessarily be consistent from one employee to the next. The employee in question may be doing something they don’t realize they shouldn’t be doing. Plus, a lot of practices think, “To be HIPAA compliant I have to spend a lot of money.” I ask these practices, “What is the risk you are willing to take? Have you even thought about it before you throw a technology at it?” To which they reply, “How do I start looking at this?”
Q: And the answer is?
Terry: Start with HealthIT.gov, and fill out the security assessment checklist. It is the same document I use as a baseline tool when I come do a risk assessment for them and it allows you to see how much of the assessment has less to do with technology, and so much more to do with people, process, and policy.
Q: With the push for interoperability and giving patients more control and access to more data, the complexities surrounding security and protection of personal health information are only going to get more severe, correct?
Terry: Yes, absolutely. The larger and more complex you get, the more you need to look at dedicating resources and actually understanding the complexities and challenges around security. It’s about people, process, and technology, in that order.
And the pressure’s on. Seema Verma, the Administrator of the Centers for Medicare and Medicaid tweeted this week that “Systems too often refuse to share data because they fear their patients will be poached. This mentality has to be changed because it endangers the health of millions of Americans.” That’s one way to look at it but in the end, it comes down to risk versus reward. President Dwight D. Eisenhower was more succinct. “If you want total security, go to prison. The only thing lacking…is freedom.”