News Feature | September 27, 2013

How To Avoid Health Data Breaches

Source: Health IT Outcomes
Katie Wike

By Katie Wike, contributing writer

Health data breaches have become epidemic - experts offered up their advice on how to best avoid them

Health IT Outcomes asked recently, Are Health Data Breaches An Epidemic?

“As the healthcare industry continues to digitize patient data as part of the EHR movement, instances of reported health data breaches are on the rise,” wrote Ken Congdon, who then noted a number of examples, including:

  • The Utah Department of Health suffered a data breach in March 2012 when hackers broke into a Medicaid server and removed patient files.
  • In April 2013, the William Jennings Bryan Dorn VA medical center notified 7,405 patients that an unprotected laptop containing their personal health information was stolen.
  • Altamonte Springs, FL-based Adventist Health System/Sunbelt was slammed with a class action lawsuit for allegedly failing to safeguard the protected health information of more than 763,000 patients in its electronic database

Now, with the HIPAA Final Omnibus Rule establishing new standards and penalties for breaches such as those above, avoiding them is more important than ever. A post on Mondaq reviews the HIPAA Final Rule, writing, “Any acquisition, access, use or disclosure of unsecured PHI in a manner not permitted by HIPAA will be presumed to be a breach. To overcome this presumption, the Covered Entity or business associate must demonstrate (and document) the low probability that the PHI was compromised. The factors to be weighed in assessing the probability of compromise must include the following four factors at a minimum:

  • The nature and extent of the PHI involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the PHI or to whom the disclosure was made;
  • Whether the PHI was actually acquired or viewed; and
  • The extent to which the risk of harm to the affected individuals has been mitigated.”

Avoiding breaches is the best way to avoid the penalties associated with them, and Healthcare IT News reports avoidance was the subject of the HIMSS Media/Healthcare IT News Privacy and Security Forum held recently.

Jon Hale, vice president of security practice at Attachmate, spoke at the forum and said the greatest danger of a security breach is “the unknown unknown.” To combat that, a provider needs to familiarize him or herself “with HIPAA and subject (their) organization to a rigorous risk assessment.”

Forest Blanton, senior vice president and CIO at Memorial Healthcare System offered more advice - “prepare, and don’t panic.” Healthcare IT News summarizes Blanton’s presentation, “With employees handling data every day, we can't simply ‘look at an assessment just like a checklist,' a once-and-done review to make sure that technology systems are sound and compliant.

“Indeed, the most damaging security problems are often "low-tech," he said, and can happen on any given day – employees stealing copies of face sheets, for example, or taking pictures with camera phones.”

And keeping up with security risks is a never ending process according to experts. “I don't think we'll ever be done. It's like a game of cops and robbers, and technology is always moving,” said Blanton. And in his experience, hospital audits constantly turn up risks from virtually all technology. “We end up with thousands of listings of things that are vulnerabilities, but that might not be the most important thing to put your attention on," said Blanton. "That's where the analysis of the risk, and where the threats are, becomes key. We could spend our whole lives fixing things that might not be that important.”

Reviewing security, completing risk assessments, and making upgrades on passwords and security can prevent dangerous security breaches but in the event one does occur, the best advice Blanton can offer is to learn a lesson and move forward. “In our case, we looked where we had personally identifiable information stored and it turned out, quite frankly, to be pervasive throughout our system," said Blanton. "We spent a long time, six or eight months, figuring out where that information lies, who needs to have access to it, removing it entirely from systems if it's not necessary, finding a way to expunge the historical records.”

And they made a lot of system upgrades. "We reviewed our password reset policies – we tightened them up,” said Blanton. “We put in processes to look at our affiliated physicians and their activity, to make sure that they're vouching that their employees legitimately have access to the information – we do that about every 90 days now."