Share this article on:
Cybersecurity is a hot topic the Healthcare Information and Management Systems Society conference (HIMSS 2015) in Chicago this week. There are a number of scheduled presentations relating to data security and the Health Insurance Portability Act (HIPAA), which are aimed at compliance officers and IT professionals who are trying to navigate HIPAA regulations and get their organizations fully compliant.
On Monday 13, Marion Jenkins, PhD, FHIMSS, Chief Strategy Officer at 3t Systems, took a session entitled HIPAA Security: A Decade of Breaches in which he explained the current landscape and how the HIPAA Security Rule has changed over the past 10-years as well as covered entities (CEs) attitudes to the legislation.
In the presentations Jenkins presented some examples of the real causes behind the data breaches and suggested a number of easy – and not so easy – remedies that healthcare providers and other CEs can implement to reduce the risk of them being affected.
Jenkins pointed out that in the past 6 years there have been 1,189 reported breaches of HIPAA-classified data – PHI – with the number of reported incidents having increased by 50% in the past 12 months. To date, he said, 133 million patient records have been exposed in data breaches.
Jenkins said that the cost from breaches of HIPAA data can be astronomical, and used the examples of Sutter Health and SAIC; both of which have been cited in multibillion dollar class action lawsuits.
Laptop Theft Dominates HIPAA Beach Reports
While hacking is attracting a lot of media attention, the majority of data breaches involve other disclosures of PHI. Jenkins pointed out that theft of devices was the most common cause of data breaches, accounting for 55%, while unauthorized access was at 19%, 12% as loss and 14% unspecified.
He warned attendees that the loss and theft of laptop computers is the biggest problem, accounting for 25% of breaches and cited a habitual offender, Stanford Children’s Hospital, as it has repeatedly suffered breaches when physicians’ cars have been broken into and their laptops stolen.
He offered an answer to a question many patients may have asked. What is their healthcare data is doing on a laptop left in a car park? The answer could be that in order to access medical records in a timely manner and be able to get on with the job of curing people, some physicians may attempt to shortcut the slow systems and download data onto their work laptop. A physician may do this for all of the records that he is required to access.
It was pointed out that healthcare providers, insurers and other CEs may have been mislead into believing they are HIPAA-compliant when they are not. Jenkins said claims of HIPAA-compliant EHRs and HIPAA-compliant cloud services may be taken to mean every aspect of HIPAA is covered by the provider. He said “there are two problems with that assertion; first, there is no such thing as a HIPAA-certified EHR. Second, the EHR isn’t the problem … it’s the user behavior when they’re pulling reports, pulling data out of the EHR and then having a breach with that.”
HIPAA Regulations are Outdated
Jenkins also criticized HIPAA regulations as being outdated, and not being able to keep up with the pace of change in the healthcare industry. For instance, it was pointed out that there was no mention of “laptops” or “Smartphones” in the HIPAA regulations, and that the Security Rule does not even specify basic security measures, like not using “password” as a password or stating that access passwords should be changed frequently. Similarly timeouts, logoff intervals and Wi-Fi encryption is not sufficiently covered. He used the example of WEP encryption being HIPAA-compliant, even though it is hardly secure and is frequently breached.
Given the number of breaches, the targeted attacks and the cost of security breaches to the industry, Jenkins believes that HIPAA regulations should be kept more up to date and healthcare organizations should do more to ensure they are fully compliant and have adopted the safeguards to protect PHI as required by current legislation covering Protected Health Information.